| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Nov 2022 18:22:09 -0500
From: "Michael S. Tsirkin" <mst@...hat.com>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: error27@...il.com, harshit.m.mogalapalli@...il.com,
Jason Wang <jasowang@...hat.com>,
Xie Yongji <xieyongji@...edance.com>,
Gautam Dawar <gautam.dawar@...inx.com>,
Maxime Coquelin <maxime.coquelin@...hat.com>,
Guanjun <guanjun@...ux.alibaba.com>,
Parav Pandit <parav@...dia.com>, Eli Cohen <elic@...dia.com>,
virtualization@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev()
On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote:
> As 'dev->vq_num' is user-controlled data, if user tries to allocate
> memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
> creates a stack trace and messes up dmesg with a warning.
>
> Call trace:
> -> vduse_ioctl
> --> vduse_create_dev
> 'config->vq_num' is user data as it comes from ioctl, which is
> assigned to 'dev->vq_num'.
>
> Add __GFP_NOWARN in order to avoid too large allocation warning.
> This is detected by static analysis using smatch.
>
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
> ---
> drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
> index 35dceee3ed56..5e9546b16165 100644
> --- a/drivers/vdpa/vdpa_user/vduse_dev.c
> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
> @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config,
> dev->config_size = config->config_size;
> dev->vq_align = config->vq_align;
> dev->vq_num = config->vq_num;
> - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL);
> + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs),
> + GFP_KERNEL | __GFP_NOWARN);
> if (!dev->vqs)
> goto err_vqs;
This is insufficient - the real source of the problem is that
vq_num is not validated.
The thing to do is to validate config and limit vq_num to 0xffff;
> --
> 2.38.1
Powered by blists - more mailing lists