lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241216021459.178759-2-leocstone@gmail.com>
Date: Sun, 15 Dec 2024 18:14:58 -0800
From: Leo Stone <leocstone@...il.com>
To: syzbot+7536f77535e5210a5c76@...kaller.appspotmail.com
Cc: Leo Stone <leocstone@...il.com>,
	jmorris@...ei.org,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	paul@...l-moore.com,
	penguin-kernel@...ove.SAKURA.ne.jp,
	serge@...lyn.com,
	syzkaller-bugs@...glegroups.com,
	takedakn@...data.co.jp,
	tomoyo-dev-en@...ts.osdn.me
Subject: [PATCH] tomoyo: Reject excessively long lines

syzbot creates an anonymous memory region, and then issues a
write syscall from the new memory region to a sysfs entry controlled by
tomoyo, specifying a buffer size of just under 2 GB (the actual size of
the buffer is ~32 MB). Because tomoyo_write_control will double the
size of head->write_buf every time it runs out of space for the current
line, and everything in the zero-initialized buffer is on the same line,
the function will eventually issue a kzalloc with a size that is too large,
triggering the warning.

Reject writes with excessively long lines.

Reported-by: syzbot+7536f77535e5210a5c76@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
Signed-off-by: Leo Stone <leocstone@...il.com>
---
 security/tomoyo/common.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 5c7b059a332a..0c75be949c9d 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2665,6 +2665,10 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
 
 		if (head->w.avail >= head->writebuf_size - 1) {
 			const int len = head->writebuf_size * 2;
+			if (len > KMALLOC_MAX_SIZE) {
+				error = -EINVAL;
+				break;
+			}
 			char *cp = kzalloc(len, GFP_NOFS);
 
 			if (!cp) {
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ