| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Dec 2016 16:00:28 -0500 (EST)
From: Alan Stern <stern@...land.harvard.edu>
To: Andrey Konovalov <andreyknvl@...gle.com>
cc: Felipe Balbi <balbi@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Al Viro <viro@...iv.linux.org.uk>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Deepa Dinamani <deepa.kernel@...il.com>,
Michal Hocko <mhocko@...e.com>,
Mathieu Laurendeau <mat.lau@...oste.net>,
Bin Liu <b-liu@...com>, USB list <linux-usb@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
syzkaller <syzkaller@...glegroups.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Kostya Serebryany <kcc@...gle.com>
Subject: Re: usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask
On Mon, 12 Dec 2016, Andrey Konovalov wrote:
> On Mon, Dec 12, 2016 at 9:31 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
> > Hi!
> >
> > While running the syzkaller fuzzer I've got the following error report.
> >
> > The issue is that the len argument is not checked for being too big.
> >
> > WARNING: CPU: 1 PID: 9935 at mm/page_alloc.c:3511
> > __alloc_pages_nodemask+0x159c/0x1e20
> > Kernel panic - not syncing: panic_on_warn set ...
> >
> > CPU: 1 PID: 9935 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #34
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > ffff88006949f2c8 ffffffff81f96b8a ffffffff00000200 1ffff1000d293dec
> > ffffed000d293de4 0000000000000a06 0000000041b58ab3 ffffffff8598b510
> > ffffffff81f968f8 0000000041b58ab3 ffffffff85942a58 ffffffff81432860
> > Call Trace:
> > [< inline >] __dump_stack lib/dump_stack.c:15
> > [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
> > [<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
> > [<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
> > [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
> > [< inline >] __alloc_pages_slowpath mm/page_alloc.c:3511
> > [<ffffffff816c08ac>] __alloc_pages_nodemask+0x159c/0x1e20 mm/page_alloc.c:3781
> > [<ffffffff817cde17>] alloc_pages_current+0x1c7/0x6b0 mm/mempolicy.c:2072
> > [< inline >] alloc_pages include/linux/gfp.h:469
> > [<ffffffff8172fd8f>] kmalloc_order+0x1f/0x70 mm/slab_common.c:1015
> > [<ffffffff8172fdff>] kmalloc_order_trace+0x1f/0x160 mm/slab_common.c:1026
> > [< inline >] kmalloc_large include/linux/slab.h:422
> > [<ffffffff817e01f0>] __kmalloc+0x210/0x2d0 mm/slub.c:3723
> > [< inline >] kmalloc include/linux/slab.h:495
> > [<ffffffff832262a7>] ep_write_iter+0x167/0xb50
> > drivers/usb/gadget/legacy/inode.c:664
> > [< inline >] new_sync_write fs/read_write.c:499
> > [<ffffffff817fdcd3>] __vfs_write+0x483/0x760 fs/read_write.c:512
> > [<ffffffff817ff720>] vfs_write+0x170/0x4e0 fs/read_write.c:560
> > [< inline >] SYSC_write fs/read_write.c:607
> > [<ffffffff81803b2b>] SyS_write+0xfb/0x230 fs/read_write.c:599
> > [<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
> > Dumping ftrace buffer:
> > (ftrace buffer empty)
> > Kernel Offset: disabled
I'm not an expert in this area, but it seems like length checking of
I/O operations should be done in a more central location, like the
VFS, rather than in a million different drivers.
Anyway, it's not a big deal if the memory allocation fails. Users who
try to transfer large amounts of data at once should expect that
sometimes it won't work.
Alan Stern
Powered by blists - more mailing lists