lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.10.1602050227580.10138@chino.kir.corp.google.com>
Date:	Fri, 5 Feb 2016 02:32:00 -0800 (PST)
From:	David Rientjes <rientjes@...gle.com>
To:	Dmitry Vyukov <dvyukov@...gle.com>
cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jiri Slaby <jslaby@...e.com>,
	Peter Hurley <peter@...leysoftware.com>,
	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
	LKML <linux-kernel@...r.kernel.org>,
	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>
Subject: Re: [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc

On Fri, 5 Feb 2016, Dmitry Vyukov wrote:

> On Thu, Feb 4, 2016 at 11:11 PM, David Rientjes <rientjes@...gle.com> wrote:
> > On Thu, 4 Feb 2016, Dmitry Vyukov wrote:
> >
> >> Size of kmalloc() in vc_do_resize() is controlled by user.
> >> Too large kmalloc() size triggers WARNING message on console.
> >>
> >> Use __GFP_NOWARN for this kmalloc() to not scare admins.
> >>
> >
> > Hmm, this is hitting the WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) for
> > order >= MAX_ORDER.
> >
> > vc_do_resize() has
> >
> >         if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
> >                 return -EINVAL;
> >
> > so the appropriate fix would seem to be to reject sizes that would exceed
> > the page allocator's ability to return contiguous memory (MAX_ORDER)
> > rather than ever trying the allocation in the first place.
> 
> Hi David,
> 
> Please see Alan response to original report here:
> https://groups.google.com/d/msg/syzkaller/ufjvr5j0URo/lTlpYP0DBQAJ
> I can't say that I fully understand it.
> 

vc_do_resize() might not know a stricter limit, but we know the limit that 
the page allocator can provide, and that's MAX_ORDER-1.  kmalloc() with a 
size >= (1 << (PAGE_SHIFT + MAX_ORDER)) will always fail, so if that is 
really the upper limit, then so be it.  We should return -EINVAL 
appropriately and not -ENOMEM.

I'm thinking that the actual limit would actually be 
(1 << (PAGE_SHIFT + pageblock_order)) since even memory compaction isn't 
going to be able to defragment more than that, but the absolute max would 
always be MAX_ORDER-1.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ