Message-Id: <1454095465-16685-1-git-send-email-xiyou.wangcong@gmail.com>
Date:	Fri, 29 Jan 2016 11:24:24 -0800
From:	Cong Wang <xiyou.wangcong@...il.com>
To:	netdev@...r.kernel.org
Cc:	dvyukov@...gle.com, linux-wireless@...r.kernel.org,
	julian.calaby@...il.com, eric.dumazet@...il.com,
	Cong Wang <xiyou.wangcong@...il.com>,
	Lauro Ramos Venancio <lauro.venancio@...nbossa.org>,
	Aloisio Almeida Jr <aloisio.almeida@...nbossa.org>,
	Samuel Ortiz <sameo@...ux.intel.com>
Subject: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc

These two functions are called in sendmsg path, and the
'len' is passed from user-space, so we should not allow
malicious users to OOM kernel on purpose.

Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Lauro Ramos Venancio <lauro.venancio@...nbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida@...nbossa.org>
Cc: Samuel Ortiz <sameo@...ux.intel.com>
Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>
---
 net/nfc/llcp_commands.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 3621a90..3425532 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
 		return -ENOBUFS;
 	}
 
-	msg_data = kzalloc(len, GFP_KERNEL);
+	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
 	if (msg_data == NULL)
 		return -ENOMEM;
 
@@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 	if (local == NULL)
 		return -ENODEV;
 
-	msg_data = kzalloc(len, GFP_KERNEL);
+	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
 	if (msg_data == NULL)
 		return -ENOMEM;
 
-- 
1.8.3.1

Powered by blists - more mailing lists