[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20190320.111028.467469471139039452.davem@davemloft.net>
Date: Wed, 20 Mar 2019 11:10:28 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: lucien.xin@...il.com
Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org,
marcelo.leitner@...il.com, nhorman@...driver.com,
syzkaller@...glegroups.com
Subject: Re: [PATCH net] sctp: use memdup_user instead of vmemdup_user
From: Xin Long <lucien.xin@...il.com>
Date: Wed, 20 Mar 2019 14:49:38 +0800
> In sctp_setsockopt_bindx()/__sctp_setsockopt_connectx(), it allocates
> memory with addrs_size which is passed from userspace. We used flag
> GFP_USER to put some more restrictions on it in Commit cacc06215271
> ("sctp: use GFP_USER for user-controlled kmalloc").
>
> However, since Commit c981f254cc82 ("sctp: use vmemdup_user() rather
> than badly open-coding memdup_user()"), vmemdup_user() has been used,
> which doesn't check GFP_USER flag when goes to vmalloc_*(). So when
> addrs_size is a huge value, it could exhaust memory and even trigger
> oom killer.
>
> This patch is to use memdup_user() instead, in which GFP_USER would
> work to limit the memory allocation with a huge addrs_size.
>
> Note we can't fix it by limiting 'addrs_size', as there's no demand
> for it from RFC.
>
> Reported-by: syzbot+ec1b7575afef85a0e5ca@...kaller.appspotmail.com
> Fixes: c981f254cc82 ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()")
> Signed-off-by: Xin Long <lucien.xin@...il.com>
Applied and queued up for -stable, thanks Xin.
Powered by blists - more mailing lists