| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025110351-mountain-absently-f9f1@gregkh>
Date: Mon, 3 Nov 2025 10:05:31 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Miaoqian Lin <linmq006@...il.com>,
Thomas Weißschuh <linux@...ssschuh.net>,
Wolfram Sang <wsa+renesas@...g-engineering.com>,
Ruan Jinjie <ruanjinjie@...wei.com>,
Luca Ceresoli <luca.ceresoli@...tlin.com>,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] misc: eeprom/idt_89hpesx: prevent bad user input in
idt_dbgfs_csr_write()
On Thu, Oct 30, 2025 at 09:47:22AM +0100, Arnd Bergmann wrote:
> On Thu, Oct 30, 2025, at 06:28, Miaoqian Lin wrote:
> > A malicious user could pass an arbitrarily bad value
> > to memdup_user_nul(), potentially causing kernel crash.
>
> I think you should be more specific than 'kernel crash' here.
> As far as I can tell, the worst case would be temporarily
> consuming a MAX_ORDER_NR_PAGES allocation, leading to out-of-memory.
I think we already limit the size of writes so this shouldn't happen,
but a real trace would be good to see.
> > Fixes: 183238ffb886 ("misc: eeprom/idt_89hpesx: Switch to
> > memdup_user_nul() helper")
>
> I don't think that patch changed anything, the same thing
> would have happened with kmalloc()+copy_from_user().
> Am I missing something?
>
> > + if (count == 0 || count > PAGE_SIZE)
> > + return -EINVAL;
> > +
>
> How did you pick PAGE_SIZE as the maximum here?
I agree, that seems very very small.
thanks,
greg k-h
Powered by blists - more mailing lists