lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20210504004700.GA638732@rowland.harvard.edu>
Date:   Mon, 3 May 2021 20:47:00 -0400
From:   Alan Stern <stern@...land.harvard.edu>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     syzbot <syzbot+882a85c0c8ec4a3e2281@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        syzkaller-bugs@...glegroups.com,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-usb@...r.kernel.org
Subject: Re: [syzbot] WARNING in do_proc_bulk

On Mon, May 03, 2021 at 12:24:28PM -0700, Andrew Morton wrote:
> On Mon, 3 May 2021 14:56:14 -0400 Alan Stern <stern@...land.harvard.edu> wrote:
> 
> > > 
> > > do_proc_bulk() is asking kmalloc for more than MAX_ORDER bytes, in
> > > 
> > > 	tbuf = kmalloc(len1, GFP_KERNEL);
> > 
> > This doesn't seem to be a bug.  do_proc_bulk is simply trying to 
> > allocate a kernel buffer for data passed to/from userspace.  If a user 
> > wants too much space all at once, that's their problem.
> > 
> > As far as I know, the kmalloc API doesn't require the caller to filter 
> > out requests for more the MAX_ORDER bytes.  Only to be prepared to 
> > handle failures -- which do_proc_bulk is all set for.
> > 
> > Am I wrong about this?  Should we add __GFP_NOWARN to the gfp flags?
> 
> Yes, if the oversized request is a can-happen and the resulting error is handled
> appropriately, __GFP_NOWARN is the way to go.

Okay, let's see how this does.

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git d2b6f8a1

Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -1218,7 +1218,12 @@ static int do_proc_bulk(struct usb_dev_s
 	ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
 	if (ret)
 		return ret;
-	tbuf = kmalloc(len1, GFP_KERNEL);
+
+	/*
+	 * len1 can be almost arbitrarily large.  Don't WARN if it's
+	 * too big, just fail the request.
+	 */
+	tbuf = kmalloc(len1, GFP_KERNEL | __GFP_NOWARN);
 	if (!tbuf) {
 		ret = -ENOMEM;
 		goto done;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ