| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Oct 2016 15:18:28 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: gregkh@...uxfoundation.org, jslaby@...e.com,
gnomes@...rguk.ukuu.org.uk, peter@...leysoftware.com
Cc: Dmitry Vyukov <dvyukov@...gle.com>,
David Rientjes <rientjes@...gle.com>,
linux-kernel@...r.kernel.org, syzkaller@...glegroups.com
Subject: [PATCH] tty: limit terminal size to 4M chars
Size of kmalloc() in vc_do_resize() is controlled by user.
Too large kmalloc() size triggers WARNING message on console.
Put a reasonable upper bound on terminal size to prevent WARNINGs.
Signed-off-by: Dmitry Vyukov <dvyukov@...gle.com>
CC: David Rientjes <rientjes@...gle.com>
Cc: One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Jiri Slaby <jslaby@...e.com>
Cc: Peter Hurley <peter@...leysoftware.com>
Cc: linux-kernel@...r.kernel.org
Cc: syzkaller@...glegroups.com
---
I've sent a patch that adds __GFP_NOWARN to the kmalloc() a while ago:
https://groups.google.com/d/msg/syzkaller/9xTEI2ghFwA/fTgt7oonAAAJ
But David and One Thousand Gnomes suggested that we should put
a reasonable upper bound rather than blindly trying kmalloc().
"I think we can go down to something like cols * lines < 4MB
with complete safety".
Example WARNING:
WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
__alloc_pages_nodemask+0x7d2/0x1760()
Modules linked in:
CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] __alloc_pages_slowpath mm/page_alloc.c:2999
[<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
[<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
[< inline >] alloc_pages include/linux/gfp.h:459
[<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
[<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
[<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
[< inline >] kmalloc_large include/linux/slab.h:395
[<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
[< inline >] kmalloc include/linux/slab.h:468
[<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
[<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
[< inline >] tiocswinsz drivers/tty/tty_io.c:2357
[<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
---
drivers/tty/vt/vt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 06fb39c..652abc1 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -870,6 +870,8 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
if (new_cols == vc->vc_cols && new_rows == vc->vc_rows)
return 0;
+ if (new_screen_size > (4 << 20))
+ return -EINVAL;
newscreen = kmalloc(new_screen_size, GFP_USER);
if (!newscreen)
return -ENOMEM;
--
2.8.0.rc3.226.g39d4020
Powered by blists - more mailing lists