lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025022007-rudder-refocus-5d45@gregkh>
Date: Thu, 20 Feb 2025 15:31:11 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Thadeu Lima de Souza Cascardo <cascardo@...lia.com>
Cc: linux-kernel@...r.kernel.org, Arnd Bergmann <arnd@...db.de>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Dirk VanDerMerwe <dirk.vandermerwe@...hos.com>,
	Vimal Agrawal <vimal.agrawal@...hos.com>, kernel-dev@...lia.com
Subject: Re: [PATCH 3/4] char: misc: restrict the dynamic range to exclude
 reserved minors

On Thu, Jan 23, 2025 at 09:32:48AM -0300, Thadeu Lima de Souza Cascardo wrote:
> When this was first reported [1], the possibility of having sufficient
> number of dynamic misc devices was theoretical.
> 
> What we know from commit ab760791c0cf ("char: misc: Increase the maximum
> number of dynamic misc devices to 1048448"), is that the miscdevice
> interface has been used for allocating more than the single-shot devices it
> was designed for.

Do we have any in-kernel drivers that abuse it this way?  If so, let's
fix them up.

> On such systems, it is certain that the dynamic allocation will allocate
> certain reserved minor numbers, leading to failures when a later driver
> tries to claim its reserved number.
> 
> Fixing this is a simple matter of defining the IDA range to allocate from
> to exclude minors up to and including 15.
> 
> [1] https://lore.kernel.org/all/1257813017-28598-3-git-send-email-cascardo@holoscopio.com/
> 
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...lia.com>
> ---
>  drivers/char/misc.c        | 4 +++-
>  include/linux/miscdevice.h | 1 +
>  2 files changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/char/misc.c b/drivers/char/misc.c
> index 2cf595d2e10b..7a768775e558 100644
> --- a/drivers/char/misc.c
> +++ b/drivers/char/misc.c
> @@ -68,8 +68,10 @@ static int misc_minor_alloc(int minor)
>  	int ret = 0;
>  
>  	if (minor == MISC_DYNAMIC_MINOR) {
> +		int max = DYNAMIC_MINORS - 1 - MISC_STATIC_MAX_MINOR - 1;
>  		/* allocate free id */
> -		ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL);
> +		/* Minors from 0 to 15 are reserved. */
> +		ret = ida_alloc_max(&misc_minors_ida, max, GFP_KERNEL);
>  		if (ret >= 0) {
>  			ret = DYNAMIC_MINORS - ret - 1;
>  		} else {
> diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h
> index 69e110c2b86a..911a294d17b5 100644
> --- a/include/linux/miscdevice.h
> +++ b/include/linux/miscdevice.h
> @@ -21,6 +21,7 @@
>  #define APOLLO_MOUSE_MINOR	7	/* unused */
>  #define PC110PAD_MINOR		9	/* unused */
>  /*#define ADB_MOUSE_MINOR	10	FIXME OBSOLETE */
> +#define MISC_STATIC_MAX_MINOR	15	/* Top of first reserved range */

I don't understand, why is 15 the magic number here?  All of those
"unused" values can just be removed, all systems should be using dynamic
/dev/ now for many many years, and even if they aren't, these minors
aren't being used by anyone else as the in-kernel users are long gone.

So why are we reserving this range if no one needs it?

confused,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ