| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jul 2019 15:36:57 -0400
From: Laura Abbott <labbott@...hat.com>
To: alex.popov@...ux.com, Sumit Semwal <sumit.semwal@...aro.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
arve@...roid.com, Todd Kjos <tkjos@...roid.com>,
Martijn Coenen <maco@...roid.com>,
Joel Fernandes <joel@...lfernandes.org>,
Christian Brauner <christian@...uner.io>,
Riley Andrews <riandrews@...roid.com>,
devel@...verdev.osuosl.org, linaro-mm-sig@...ts.linaro.org,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
dri-devel@...ts.freedesktop.org,
LKML <linux-kernel@...r.kernel.org>,
Brian Starkey <brian.starkey@....com>,
Daniel Vetter <daniel.vetter@...el.com>,
Mark Brown <broonie@...nel.org>,
Benjamin Gaignard <benjamin.gaignard@...aro.org>,
Linux-MM <linux-mm@...ck.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Andrey Konovalov <andreyknvl@...gle.com>,
syzkaller@...glegroups.com, John Stultz <john.stultz@...aro.org>
Subject: Re: Limits for ION Memory Allocator
On 7/17/19 12:31 PM, Alexander Popov wrote:
> Hello!
>
> The syzkaller [1] has a trouble with fuzzing the Linux kernel with ION Memory
> Allocator.
>
> Syzkaller uses several methods [2] to limit memory consumption of the userspace
> processes calling the syscalls for testing the kernel:
> - setrlimit(),
> - cgroups,
> - various sysctl.
> But these methods don't work for ION Memory Allocator, so any userspace process
> that has access to /dev/ion can bring the system to the out-of-memory state.
>
> An example of a program doing that:
>
>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <stdio.h>
> #include <linux/types.h>
> #include <sys/ioctl.h>
>
> #define ION_IOC_MAGIC 'I'
> #define ION_IOC_ALLOC _IOWR(ION_IOC_MAGIC, 0, \
> struct ion_allocation_data)
>
> struct ion_allocation_data {
> __u64 len;
> __u32 heap_id_mask;
> __u32 flags;
> __u32 fd;
> __u32 unused;
> };
>
> int main(void)
> {
> unsigned long i = 0;
> int fd = -1;
> struct ion_allocation_data data = {
> .len = 0x13f65d8c,
> .heap_id_mask = 1,
> .flags = 0,
> .fd = -1,
> .unused = 0
> };
>
> fd = open("/dev/ion", 0);
> if (fd == -1) {
> perror("[-] open /dev/ion");
> return 1;
> }
>
> while (1) {
> printf("iter %lu\n", i);
> ioctl(fd, ION_IOC_ALLOC, &data);
> i++;
> }
>
> return 0;
> }
>
>
> I looked through the code of ion_alloc() and didn't find any limit checks.
> Is it currently possible to limit ION kernel allocations for some process?
>
> If not, is it a right idea to do that?
> Thanks!
>
Yes, I do think that's the right approach. We're working on moving Ion
out of staging and this is something I mentioned to John Stultz. I don't
think we've thought too hard about how to do the actual limiting so
suggestions are welcome.
Thanks,
Laura
> Best regards,
> Alexander
>
>
> [1]: https://github.com/google/syzkaller
> [2]: https://github.com/google/syzkaller/blob/master/executor/common_linux.h
>
Powered by blists - more mailing lists