| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACT4Y+a0pD2JUkuxugcmnLNPv3a0MK_51Gb0fqNqGYQjJLNBnA@mail.gmail.com>
Date: Sun, 24 Jan 2016 12:24:26 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jslaby@...e.com>,
Daniel Vetter <daniel.vetter@...ll.ch>,
David Herrmann <dh.herrmann@...il.com>,
Peter Hurley <peter@...leysoftware.com>,
Imre Deak <imre.deak@...el.com>,
"Lad, Prabhakar" <prabhakar.csengg@...il.com>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Nicholas Mc Guire <hofrat@...dl.org>,
Scot Doyle <lkml14@...tdoyle.com>,
Denys Vlasenko <dvlasenk@...hat.com>,
Takashi Iwai <tiwai@...e.de>,
LKML <linux-kernel@...r.kernel.org>
Cc: syzkaller <syzkaller@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>
Subject: tty: kmalloc size WARNING in vc_do_resize
Hello,
The following program triggers kmalloc size WARNING in vc_do_resize:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <termios.h>
#include <sys/ioctl.h>
int main()
{
int fd = open("/dev/tty1", O_RDWR);
struct winsize ws;
ws.ws_row = 0x1000;
ws.ws_col = 0x5dc;
ws.ws_xpixel = 0x2;
ws.ws_ypixel = 0x0;
ioctl(fd, TIOCSWINSZ, &ws);
return 0;
}
------------[ cut here ]------------
WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
__alloc_pages_nodemask+0x7d2/0x1760()
Modules linked in:
CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] __alloc_pages_slowpath mm/page_alloc.c:2999
[<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
[<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
[< inline >] alloc_pages include/linux/gfp.h:459
[<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
[<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
[<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
[< inline >] kmalloc_large include/linux/slab.h:395
[<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
[< inline >] kmalloc include/linux/slab.h:468
[<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
[<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
[< inline >] tiocswinsz drivers/tty/tty_io.c:2357
[<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace cc28f7cc9d447282 ]---
I think that either the kmalloc should use __GFP_NOWARN or
vc_do_resize should do stricter size check.
On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2.
Powered by blists - more mailing lists