* [PATCH] kmsg: limit message size
@ 2012-05-05 14:56 Sasha Levin
2012-05-08 22:57 ` Andrew Morton
0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2012-05-05 14:56 UTC (permalink / raw)
To: arnd, gregkh; +Cc: tglx, linux-kernel, Sasha Levin
There are no size checks in kmsg_write(), and we try allocating enough
memory to store everything userspace gave us, which may be too much for
kmalloc to allocate.
Furthermore, we can have an integer overflow if len==INT_MAX, in that case
we'll corrupt kernel memory.
This was tested with several userspace programs that write to kmsg, and haven't
found a case where the program attempts to write more than PAGE_SIZE.
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
---
drivers/char/mem.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index d6e9d08..c90964b 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -815,6 +815,9 @@ static ssize_t kmsg_writev(struct kiocb *iocb, const struct iovec *iv,
ssize_t ret = -EFAULT;
size_t len = iov_length(iv, count);
+ if (len > PAGE_SIZE)
+ return -E2BIG;
+
line = kmalloc(len + 1, GFP_KERNEL);
if (line == NULL)
return -ENOMEM;
--
1.7.8.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] kmsg: limit message size
2012-05-05 14:56 [PATCH] kmsg: limit message size Sasha Levin
@ 2012-05-08 22:57 ` Andrew Morton
2012-05-10 16:08 ` Sasha Levin
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morton @ 2012-05-08 22:57 UTC (permalink / raw)
To: Sasha Levin; +Cc: arnd, gregkh, tglx, linux-kernel
On Sat, 5 May 2012 16:56:12 +0200
Sasha Levin <levinsasha928@gmail.com> wrote:
> There are no size checks in kmsg_write(), and we try allocating enough
> memory to store everything userspace gave us, which may be too much for
> kmalloc to allocate.
>
> Furthermore, we can have an integer overflow if len==INT_MAX, in that case
> we'll corrupt kernel memory.
>
> This was tested with several userspace programs that write to kmsg, and haven't
> found a case where the program attempts to write more than PAGE_SIZE.
>
> Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
> ---
> drivers/char/mem.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/char/mem.c b/drivers/char/mem.c
> index d6e9d08..c90964b 100644
> --- a/drivers/char/mem.c
> +++ b/drivers/char/mem.c
> @@ -815,6 +815,9 @@ static ssize_t kmsg_writev(struct kiocb *iocb, const struct iovec *iv,
> ssize_t ret = -EFAULT;
> size_t len = iov_length(iv, count);
>
> + if (len > PAGE_SIZE)
> + return -E2BIG;
> +
> line = kmalloc(len + 1, GFP_KERNEL);
> if (line == NULL)
> return -ENOMEM;
Well, this is a write(), and write() is permitted to return
less-than-asked-for. So what we could do here is to write the first N
bytes and then return N to userspace. Well-behaved userspace will
notice this and then do some more writing from offset N.
Could I ask that you try this and test it a bit, see whether there is
any well-behaved userspace out there? Things like cat and echo
_should_ dtrt.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] kmsg: limit message size
2012-05-08 22:57 ` Andrew Morton
@ 2012-05-10 16:08 ` Sasha Levin
0 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2012-05-10 16:08 UTC (permalink / raw)
To: Andrew Morton; +Cc: arnd, gregkh, tglx, linux-kernel
On Wed, May 9, 2012 at 12:57 AM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Sat, 5 May 2012 16:56:12 +0200
> Sasha Levin <levinsasha928@gmail.com> wrote:
>
>> There are no size checks in kmsg_write(), and we try allocating enough
>> memory to store everything userspace gave us, which may be too much for
>> kmalloc to allocate.
>>
>> Furthermore, we can have an integer overflow if len==INT_MAX, in that case
>> we'll corrupt kernel memory.
>>
>> This was tested with several userspace programs that write to kmsg, and haven't
>> found a case where the program attempts to write more than PAGE_SIZE.
>>
>> Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
>> ---
>> drivers/char/mem.c | 3 +++
>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/drivers/char/mem.c b/drivers/char/mem.c
>> index d6e9d08..c90964b 100644
>> --- a/drivers/char/mem.c
>> +++ b/drivers/char/mem.c
>> @@ -815,6 +815,9 @@ static ssize_t kmsg_writev(struct kiocb *iocb, const struct iovec *iv,
>> ssize_t ret = -EFAULT;
>> size_t len = iov_length(iv, count);
>>
>> + if (len > PAGE_SIZE)
>> + return -E2BIG;
>> +
>> line = kmalloc(len + 1, GFP_KERNEL);
>> if (line == NULL)
>> return -ENOMEM;
>
> Well, this is a write(), and write() is permitted to return
> less-than-asked-for. So what we could do here is to write the first N
> bytes and then return N to userspace. Well-behaved userspace will
> notice this and then do some more writing from offset N.
>
> Could I ask that you try this and test it a bit, see whether there is
> any well-behaved userspace out there? Things like cat and echo
> _should_ dtrt.
Yup, cat and echo do dtrt. I'll resend a patch which limits the write
instead of canceling it altogether.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-05-10 16:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-05-05 14:56 [PATCH] kmsg: limit message size Sasha Levin
2012-05-08 22:57 ` Andrew Morton
2012-05-10 16:08 ` Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.