lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0d05bdd9-b962-2f63-c0d8-b87ab593ea1b@linux.com>
Date:   Wed, 17 Nov 2021 16:25:39 +0300
From:   Denis Efremov <efremov@...ux.com>
To:     sxwjean@...com, axboe@...nel.dk, linux-block@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org, Xiongwei Song <sxwjean@...il.com>
Subject: Re: [PATCH] floppy: Add max size check for user space request

Hi,

On 11/16/21 16:10, sxwjean@...com wrote:
> From: Xiongwei Song <sxwjean@...il.com>
> 
> We need to check the max request size that is from user space before
> allocating pages. If the request size exceeds the limit, return -EINVAL.
> This check can avoid the warning below from page allocator.

Thank you for the patch. Applied,
https://github.com/evdenis/linux-floppy/commit/3c2d8686849713e3267b972038bb649c8f093345

I will send it to Jens by the of the week.

Regards,
Denis

> 
> WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline]
> WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356
> Modules linked in:
> CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
> RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344
> Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9
> RSP: 0018:ffffc90023b87850 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000
> RDX: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
> R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960
> R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30
> FS:  0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40
> CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> CR2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
>  __get_free_pages+0x8/0x40 mm/page_alloc.c:5418
>  raw_cmd_copyin drivers/block/floppy.c:3113 [inline]
>  raw_cmd_ioctl drivers/block/floppy.c:3160 [inline]
>  fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528
>  fd_ioctl drivers/block/floppy.c:3555 [inline]
>  fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869
>  compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662
>  __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972
>  do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
>  __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
>  do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
>  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> 
> Reported-by: syzbot+23a02c7df2cf2bc93fa2@...kaller.appspotmail.com
> Signed-off-by: Xiongwei Song <sxwjean@...il.com>
> ---
>  drivers/block/floppy.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
> index c4267da716fe..52112ed59dd0 100644
> --- a/drivers/block/floppy.c
> +++ b/drivers/block/floppy.c
> @@ -3081,6 +3081,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr)
>  	}
>  }
>  
> +#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT)
> +
>  static int raw_cmd_copyin(int cmd, void __user *param,
>  				 struct floppy_raw_cmd **rcmd)
>  {
> @@ -3108,7 +3110,7 @@ static int raw_cmd_copyin(int cmd, void __user *param,
>  	ptr->resultcode = 0;
>  
>  	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
> -		if (ptr->length <= 0)
> +		if (ptr->length <= 0 || ptr->length >= MAX_LEN)
>  			return -EINVAL;
>  		ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length);
>  		fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ