lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <0f712780-8af0-4894-b75c-44fd7390dc3e@app.fastmail.com>
Date: Thu, 30 Oct 2025 09:47:22 +0100
From: "Arnd Bergmann" <arnd@...db.de>
To: "Miaoqian Lin" <linmq006@...il.com>,
 "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
 Thomas Weißschuh <linux@...ssschuh.net>,
 "Wolfram Sang" <wsa+renesas@...g-engineering.com>,
 "Ruan Jinjie" <ruanjinjie@...wei.com>,
 "Luca Ceresoli" <luca.ceresoli@...tlin.com>, linux-kernel@...r.kernel.org
Cc: stable@...r.kernel.org
Subject: Re: [PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in
 idt_dbgfs_csr_write()

On Thu, Oct 30, 2025, at 06:28, Miaoqian Lin wrote:
> A malicious user could pass an arbitrarily bad value
> to memdup_user_nul(), potentially causing kernel crash.

I think you should be more specific than 'kernel crash' here.
As far as I can tell, the worst case would be temporarily
consuming a MAX_ORDER_NR_PAGES allocation, leading to out-of-memory.

> Fixes: 183238ffb886 ("misc: eeprom/idt_89hpesx: Switch to 
> memdup_user_nul() helper")

I don't think that patch changed anything, the same thing
would have happened with kmalloc()+copy_from_user().
Am I missing something?

> +	if (count == 0 || count > PAGE_SIZE)
> +		return -EINVAL;
> +

How did you pick PAGE_SIZE as the maximum here?

       Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ