lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ZqlggV3G0t743exX@google.com>
Date: Tue, 30 Jul 2024 14:52:01 -0700
From: Dmitry Torokhov <dmitry.torokhov@...il.com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Henrik Rydberg <rydberg@...math.org>,
	"linux-input@...r.kernel.org" <linux-input@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH (resend)] Input: MT - limit max slots

Hi Tetsuo,

On Tue, Jul 30, 2024 at 02:38:19PM +0900, Tetsuo Handa wrote:
> On 2024/07/30 2:59, Dmitry Torokhov wrote:
> > Please do not. Or you will have to patch it again when we will still see
> > the same allocation failures because someone requested an input device
> > with "too many" slots (1024 results in 4Mb mt->red table for example).
> > 
> > Just fix malloc/syzkaller not to trigger on benign memory allocation
> > hickups. They are normal.
> 
> I chose 1024 because as far as I know 4MB is max acceptable size for
> all environments without triggering too large allocation warning.
> 
> You worry about mt->red, but did you notice that syzbot was reporting that
> memory allocation for mt->red has an integer overflow bug, which can cause
> out of bounds write or ZERO_SIZE_PTR pointer dereference bug at input_mt_set_matrix() ?
> 
> https://lkml.kernel.org/r/6d878e01-6c2f-8766-2578-c95030442369@I-love.SAKURA.ne.jp

I'll happily take the change converting that to array_size().

> 
> Lucky thing is that the uinput interface is for only the "root" user...

uinput also does not request in-kernel contact tracking so it will not
allow hitting that overflow.

Thanks.

-- 
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ