| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Nov 2021 16:25:39 +0300
From: Denis Efremov <efremov@...ux.com>
To: sxwjean@...com, axboe@...nel.dk, linux-block@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, Xiongwei Song <sxwjean@...il.com>
Subject: Re: [PATCH] floppy: Add max size check for user space request
Hi,
On 11/16/21 16:10, sxwjean@...com wrote:
> From: Xiongwei Song <sxwjean@...il.com>
>
> We need to check the max request size that is from user space before
> allocating pages. If the request size exceeds the limit, return -EINVAL.
> This check can avoid the warning below from page allocator.
Thank you for the patch. Applied,
https://github.com/evdenis/linux-floppy/commit/3c2d8686849713e3267b972038bb649c8f093345
I will send it to Jens by the of the week.
Regards,
Denis
>
> WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline]
> WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356
> Modules linked in:
> CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
> RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344
> Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9
> RSP: 0018:ffffc90023b87850 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000
> RDX: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
> R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960
> R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30
> FS: 0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40
> CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
> CR2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
> __get_free_pages+0x8/0x40 mm/page_alloc.c:5418
> raw_cmd_copyin drivers/block/floppy.c:3113 [inline]
> raw_cmd_ioctl drivers/block/floppy.c:3160 [inline]
> fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528
> fd_ioctl drivers/block/floppy.c:3555 [inline]
> fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869
> compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662
> __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972
> do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
> __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
> do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
> entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
>
> Reported-by: syzbot+23a02c7df2cf2bc93fa2@...kaller.appspotmail.com
> Signed-off-by: Xiongwei Song <sxwjean@...il.com>
> ---
> drivers/block/floppy.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index c4267da716fe..52112ed59dd0 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3081,6 +3081,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr)
> }
> }
>
> +#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT)
> +
> static int raw_cmd_copyin(int cmd, void __user *param,
> struct floppy_raw_cmd **rcmd)
> {
> @@ -3108,7 +3110,7 @@ static int raw_cmd_copyin(int cmd, void __user *param,
> ptr->resultcode = 0;
>
> if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
> - if (ptr->length <= 0)
> + if (ptr->length <= 0 || ptr->length >= MAX_LEN)
> return -EINVAL;
> ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length);
> fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);
>
Powered by blists - more mailing lists