lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 11 Dec 2013 17:49:09 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: Potentially unbounded allocations in seq_read?

On Wed, Dec 11, 2013 at 05:04:41PM +0000, Tvrtko Ursulin wrote:
> Hi all,
> 
> It seems that the buffer allocation in seq_read can double in size
> indefinitely, at least I've seen that in practice with /proc/<pid>/smaps
> (attempting to double m->size to 4M on a read of 1000 bytes). This
> produces an ugly WARN_ON_ONCE, which should perhaps be avoided? (given
> that it can be triggered by userspace at will)

An entry in /proc/<pid>/smaps that did not fit into 2Mb?  Seriously?
How in hell has that happened?  If you can trigger that at will, please
post the reproducer.

> >From the top comment in seq_file.c one would think that it is a
> fundamental limitation of the current code that everything which will be
> read (even if in chunks) needs to be in the kernel side buffer at the
> same time?
> 
> If that is true then only way to fix it would be to completely re-design
> the seq_file interface, just silencing the allocation failure with
> __GFP_NOWARN perhaps as a temporary measure.
> 
> As an alternative, since it does sound a bit pathological, perhaps users
> for seq_file who know can be printing out such huge amounts of text
> should just use a different (new?) facility?

If a seq_file user is attempting to spew a couple of megs of text in one
->show() call, there's definitely something misused.  Either they ought
to use a different iterator (might be feasible if that monster entry is
produced by some kind of loop) or just not use seq_file at all.

I'm very surprised that /proc/*/smaps has managed to step into that,
though - show_pid_smap() shouldn't be able to do so, AFAICS...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ