| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9e4d3860-5829-df6f-aad4-44d07c62535b@toxicpanda.com>
Date: Thu, 13 Aug 2020 13:19:18 -0400
From: Josef Bacik <josef@...icpanda.com>
To: Al Viro <viro@...iv.linux.org.uk>, Christoph Hellwig <hch@....de>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
kernel-team@...com, willy@...radead.org
Subject: Re: [PATCH][v2] proc: use vmalloc for our kernel buffer
On 8/13/20 12:20 PM, Al Viro wrote:
> On Thu, Aug 13, 2020 at 05:41:17PM +0200, Christoph Hellwig wrote:
>> On Thu, Aug 13, 2020 at 11:40:00AM -0400, Josef Bacik wrote:
>>> On 8/13/20 11:37 AM, Christoph Hellwig wrote:
>>>> On Thu, Aug 13, 2020 at 11:33:56AM -0400, Josef Bacik wrote:
>>>>> Since
>>>>>
>>>>> sysctl: pass kernel pointers to ->proc_handler
>>>>>
>>>>> we have been pre-allocating a buffer to copy the data from the proc
>>>>> handlers into, and then copying that to userspace. The problem is this
>>>>> just blind kmalloc()'s the buffer size passed in from the read, which in
>>>>> the case of our 'cat' binary was 64kib. Order-4 allocations are not
>>>>> awesome, and since we can potentially allocate up to our maximum order,
>>>>> use vmalloc for these buffers.
>>>>>
>>>>> Fixes: 32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler")
>>>>> Signed-off-by: Josef Bacik <josef@...icpanda.com>
>>>>> ---
>>>>> v1->v2:
>>>>> - Make vmemdup_user_nul actually do the right thing...sorry about that.
>>>>>
>>>>> fs/proc/proc_sysctl.c | 6 +++---
>>>>> include/linux/string.h | 1 +
>>>>> mm/util.c | 27 +++++++++++++++++++++++++++
>>>>> 3 files changed, 31 insertions(+), 3 deletions(-)
>>>>>
>>>>> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
>>>>> index 6c1166ccdaea..207ac6e6e028 100644
>>>>> --- a/fs/proc/proc_sysctl.c
>>>>> +++ b/fs/proc/proc_sysctl.c
>>>>> @@ -571,13 +571,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
>>>>> goto out;
>>>>> if (write) {
>>>>> - kbuf = memdup_user_nul(ubuf, count);
>>>>> + kbuf = vmemdup_user_nul(ubuf, count);
>>>>
>>>> Given that this can also do a kmalloc and thus needs to be paired
>>>> with kvfree shouldn't it be kvmemdup_user_nul?
>>>>
>>>
>>> There's an existing vmemdup_user that does kvmalloc, so I followed the
>>> existing naming convention. Do you want me to change them both? Thanks,
>>
>> I personally would, and given that it only has a few users it might
>> even be feasible.
>
> FWIW, how about following or combining that with "allocate count + 1 bytes on
> the read side"? Allows some nice cleanups - e.g.
> len = sprintf(tmpbuf, "0x%04x", *(unsigned int *) table->data);
> if (len > left)
> len = left;
> memcpy(buffer, tmpbuf, len);
> if ((left -= len) > 0) {
> *((char *)buffer + len) = '\n';
> left--;
> }
> in sunrpc proc_dodebug() turns into
> left -= snprintf(buffer, left, "0x%04x\n",
> *(unsigned int *) table->data);
> and that's not the only example.
>
We wouldn't even need the extra +1 part, since we're only copying in how much
the user wants anyway, we could just go ahead and convert this to
left -= snprintf(buffer, left, "0x%04x\n", *(unsigned int *) table->data);
and be fine, right? Or am I misunderstanding what you're looking for? Thanks,
Josef
Powered by blists - more mailing lists