lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221126181822-mutt-send-email-mst@kernel.org>
Date:   Sat, 26 Nov 2022 18:22:09 -0500
From:   "Michael S. Tsirkin" <mst@...hat.com>
To:     Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc:     error27@...il.com, harshit.m.mogalapalli@...il.com,
        Jason Wang <jasowang@...hat.com>,
        Xie Yongji <xieyongji@...edance.com>,
        Gautam Dawar <gautam.dawar@...inx.com>,
        Maxime Coquelin <maxime.coquelin@...hat.com>,
        Guanjun <guanjun@...ux.alibaba.com>,
        Parav Pandit <parav@...dia.com>, Eli Cohen <elic@...dia.com>,
        virtualization@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev()

On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote:
> As 'dev->vq_num' is user-controlled data, if user tries to allocate
> memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
> creates a stack trace and messes up dmesg with a warning.
> 
> Call trace:
> -> vduse_ioctl
> --> vduse_create_dev
> 'config->vq_num' is user data as it comes from ioctl, which is
> assigned to 'dev->vq_num'.
> 
> Add __GFP_NOWARN in order to avoid too large allocation warning.
> This is detected by static analysis using smatch.
> 
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
> ---
>  drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
> index 35dceee3ed56..5e9546b16165 100644
> --- a/drivers/vdpa/vdpa_user/vduse_dev.c
> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
> @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config,
>  	dev->config_size = config->config_size;
>  	dev->vq_align = config->vq_align;
>  	dev->vq_num = config->vq_num;
> -	dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL);
> +	dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs),
> +			   GFP_KERNEL | __GFP_NOWARN);
>  	if (!dev->vqs)
>  		goto err_vqs;

This is insufficient - the real source of the problem is that
vq_num is not validated.
The thing to do is to validate config and limit vq_num to 0xffff;


> -- 
> 2.38.1

Powered by blists - more mailing lists