lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200813153722.GA13844@lst.de>
Date:   Thu, 13 Aug 2020 17:37:22 +0200
From:   Christoph Hellwig <hch@....de>
To:     Josef Bacik <josef@...icpanda.com>
Cc:     hch@....de, viro@...IV.linux.org.uk, linux-kernel@...r.kernel.org,
        linux-fsdevel@...r.kernel.org, kernel-team@...com,
        willy@...radead.org
Subject: Re: [PATCH][v2] proc: use vmalloc for our kernel buffer

On Thu, Aug 13, 2020 at 11:33:56AM -0400, Josef Bacik wrote:
> Since
> 
>   sysctl: pass kernel pointers to ->proc_handler
> 
> we have been pre-allocating a buffer to copy the data from the proc
> handlers into, and then copying that to userspace.  The problem is this
> just blind kmalloc()'s the buffer size passed in from the read, which in
> the case of our 'cat' binary was 64kib.  Order-4 allocations are not
> awesome, and since we can potentially allocate up to our maximum order,
> use vmalloc for these buffers.
> 
> Fixes: 32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler")
> Signed-off-by: Josef Bacik <josef@...icpanda.com>
> ---
> v1->v2:
> - Make vmemdup_user_nul actually do the right thing...sorry about that.
> 
>  fs/proc/proc_sysctl.c  |  6 +++---
>  include/linux/string.h |  1 +
>  mm/util.c              | 27 +++++++++++++++++++++++++++
>  3 files changed, 31 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 6c1166ccdaea..207ac6e6e028 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -571,13 +571,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
>  		goto out;
>  
>  	if (write) {
> -		kbuf = memdup_user_nul(ubuf, count);
> +		kbuf = vmemdup_user_nul(ubuf, count);

Given that this can also do a kmalloc and thus needs to be paired
with kvfree shouldn't it be kvmemdup_user_nul?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ