* [PATCH] mm: add __GFP_NOWARN to memdup_user_nul()
@ 2021-01-20 4:18 Tetsuo Handa
2021-01-20 10:34 ` [PATCH v2] mm: memdup_user*() should use same gfp flags Tetsuo Handa
0 siblings, 1 reply; 15+ messages in thread
From: Tetsuo Handa @ 2021-01-20 4:18 UTC (permalink / raw)
To: akpm, linux-mm; +Cc: Tetsuo Handa, syzbot
syzbot is reporting that memdup_user_nul() which receives user-controlled
size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
order >= MAX_ORDER path [1].
Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
("mm: don't let userspace spam allocations warnings").
[1] https://syzkaller.appspot.com/bug?id=8bf7efb3db19101b4008dc9198522ef977d098a6
Reported-by: syzbot <syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
mm/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/util.c b/mm/util.c
index 8c9b7d1e7c49..d3c9637f46bf 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -257,7 +257,7 @@ void *memdup_user_nul(const void __user *src, size_t len)
* cause pagefault, which makes it pointless to use GFP_NOFS
* or GFP_ATOMIC.
*/
- p = kmalloc_track_caller(len + 1, GFP_KERNEL);
+ p = kmalloc_track_caller(len + 1, GFP_KERNEL | __GFP_NOWARN);
if (!p)
return ERR_PTR(-ENOMEM);
--
2.18.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH v2] mm: memdup_user*() should use same gfp flags
2021-01-20 4:18 [PATCH] mm: add __GFP_NOWARN to memdup_user_nul() Tetsuo Handa
@ 2021-01-20 10:34 ` Tetsuo Handa
2021-01-22 1:35 ` Andrew Morton
0 siblings, 1 reply; 15+ messages in thread
From: Tetsuo Handa @ 2021-01-20 10:34 UTC (permalink / raw)
To: akpm, linux-mm; +Cc: Tetsuo Handa
syzbot is reporting that memdup_user_nul() which receives user-controlled
size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
order >= MAX_ORDER path [1].
Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").
[1] https://syzkaller.appspot.com/bug?id=8bf7efb3db19101b4008dc9198522ef977d098a6
Reported-by: syzbot <syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
mm/util.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/mm/util.c b/mm/util.c
index 8c9b7d1e7c49..265b40a86856 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -252,12 +252,7 @@ void *memdup_user_nul(const void __user *src, size_t len)
{
char *p;
- /*
- * Always use GFP_KERNEL, since copy_from_user() can sleep and
- * cause pagefault, which makes it pointless to use GFP_NOFS
- * or GFP_ATOMIC.
- */
- p = kmalloc_track_caller(len + 1, GFP_KERNEL);
+ p = kmalloc_track_caller(len + 1, GFP_USER | __GFP_NOWARN);
if (!p)
return ERR_PTR(-ENOMEM);
--
2.18.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v2] mm: memdup_user*() should use same gfp flags
2021-01-20 10:34 ` [PATCH v2] mm: memdup_user*() should use same gfp flags Tetsuo Handa
@ 2021-01-22 1:35 ` Andrew Morton
2021-01-22 10:47 ` Tetsuo Handa
0 siblings, 1 reply; 15+ messages in thread
From: Andrew Morton @ 2021-01-22 1:35 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: linux-mm
On Wed, 20 Jan 2021 19:34:36 +0900 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> syzbot is reporting that memdup_user_nul() which receives user-controlled
> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> order >= MAX_ORDER path [1].
>
> Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
> ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
> with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").
That commit failed to explain why a switch to GFP_USER was performed,
so that commit isn't a good substitute for an explanation of this
change.
So... please fully describe the reason for this change right here in
this patch's changelog.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] mm: memdup_user*() should use same gfp flags
2021-01-22 1:35 ` Andrew Morton
@ 2021-01-22 10:47 ` Tetsuo Handa
2021-01-25 13:32 ` Michal Hocko
0 siblings, 1 reply; 15+ messages in thread
From: Tetsuo Handa @ 2021-01-22 10:47 UTC (permalink / raw)
To: Andrew Morton, Michal Hocko, Alexander Viro; +Cc: linux-mm
On 2021/01/22 10:35, Andrew Morton wrote:
> On Wed, 20 Jan 2021 19:34:36 +0900 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
>
>> syzbot is reporting that memdup_user_nul() which receives user-controlled
>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
>> order >= MAX_ORDER path [1].
>>
>> Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
>> ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
>> with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").
>
> That commit failed to explain why a switch to GFP_USER was performed,
> so that commit isn't a good substitute for an explanation of this
> change.
For example, commit 2f77d107050abc14 ("Fix incorrect user space access locking
in mincore()") silently converted GFP_KERNEL to GFP_USER.
#define GFP_KERNEL (__GFP_RECLAIM | __GFP_IO | __GFP_FS)
#define GFP_USER (__GFP_RECLAIM | __GFP_IO | __GFP_FS | __GFP_HARDWALL)
* %GFP_KERNEL is typical for kernel-internal allocations. The caller requires
* %ZONE_NORMAL or a lower zone for direct access but can direct reclaim.
* %GFP_USER is for userspace allocations that also need to be directly
* accessibly by the kernel or hardware. It is typically used by hardware
* for buffers that are mapped to userspace (e.g. graphics) that hardware
* still must DMA to. cpuset limits are enforced for these allocations.
* %__GFP_HARDWALL enforces the cpuset memory allocation policy.
>
> So... please fully describe the reason for this change right here in
> this patch's changelog.
I guess that GFP_USER is chosen by cautious developers when memory is
allocated by userspace request. Is there a guideline for when to use GFP_USER ?
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] mm: memdup_user*() should use same gfp flags
2021-01-22 10:47 ` Tetsuo Handa
@ 2021-01-25 13:32 ` Michal Hocko
2021-01-25 14:20 ` Tetsuo Handa
0 siblings, 1 reply; 15+ messages in thread
From: Michal Hocko @ 2021-01-25 13:32 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: Andrew Morton, Alexander Viro, linux-mm
On Fri 22-01-21 19:47:42, Tetsuo Handa wrote:
> On 2021/01/22 10:35, Andrew Morton wrote:
> > On Wed, 20 Jan 2021 19:34:36 +0900 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> >
> >> syzbot is reporting that memdup_user_nul() which receives user-controlled
> >> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> >> order >= MAX_ORDER path [1].
That is nasty!
> >> Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
> >> ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
> >> with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").
No, this is papering over a more troubling underlying problem. Userspace
shouldn't be able to trigger an aribitrary higher order allocations.
Those users with a large size to copy should be really using kvmalloc
based (e.g vmemdup_user).
> > That commit failed to explain why a switch to GFP_USER was performed,
> > so that commit isn't a good substitute for an explanation of this
> > change.
>
> For example, commit 2f77d107050abc14 ("Fix incorrect user space access locking
> in mincore()") silently converted GFP_KERNEL to GFP_USER.
>
> #define GFP_KERNEL (__GFP_RECLAIM | __GFP_IO | __GFP_FS)
> #define GFP_USER (__GFP_RECLAIM | __GFP_IO | __GFP_FS | __GFP_HARDWALL)
>
> * %GFP_KERNEL is typical for kernel-internal allocations. The caller requires
> * %ZONE_NORMAL or a lower zone for direct access but can direct reclaim.
>
> * %GFP_USER is for userspace allocations that also need to be directly
> * accessibly by the kernel or hardware. It is typically used by hardware
> * for buffers that are mapped to userspace (e.g. graphics) that hardware
> * still must DMA to. cpuset limits are enforced for these allocations.
>
> * %__GFP_HARDWALL enforces the cpuset memory allocation policy.
>
> >
> > So... please fully describe the reason for this change right here in
> > this patch's changelog.
>
> I guess that GFP_USER is chosen by cautious developers when memory is
> allocated by userspace request. Is there a guideline for when to use GFP_USER ?
I do not think we have anything better than the above. GFP_USER is
indeed used for userspace controlable allocations. So they can be a
subject to a more strict cpu policy. memdup_user_nul looks like a good
fit for GFP_USER to me. memdup_user and other variant already does this.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] mm: memdup_user*() should use same gfp flags
2021-01-25 13:32 ` Michal Hocko
@ 2021-01-25 14:20 ` Tetsuo Handa
2021-01-25 15:44 ` Michal Hocko
0 siblings, 1 reply; 15+ messages in thread
From: Tetsuo Handa @ 2021-01-25 14:20 UTC (permalink / raw)
To: Michal Hocko
Cc: Andrew Morton, Alexander Viro, linux-mm, Sabyrzhan Tasbolatov
On 2021/01/25 22:32, Michal Hocko wrote:
> On Fri 22-01-21 19:47:42, Tetsuo Handa wrote:
>> On 2021/01/22 10:35, Andrew Morton wrote:
>>> On Wed, 20 Jan 2021 19:34:36 +0900 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
>>>
>>>> syzbot is reporting that memdup_user_nul() which receives user-controlled
>>>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
>>>> order >= MAX_ORDER path [1].
>
> That is nasty!
That's because -EFAULT will not be detected before memory allocation succeeds.
Fuzzer is passing huge size without corresponding valid buffer.
syscall(__NR_write, r[0], 0x200000c0ul, 0x200000cbul);
>
>>>> Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
>>>> ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
>>>> with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").
>
> No, this is papering over a more troubling underlying problem. Userspace
> shouldn't be able to trigger an aribitrary higher order allocations.
That requires inserting max size checking before calling memdup_user_nul().
Oh, scattering around such checking is not nice. Add max length argument
into memdup_user_nul() like strndup_user() ?
> Those users with a large size to copy should be really using kvmalloc
> based (e.g vmemdup_user).
No. The caller in this case (writing an entry to smackfs) is not expecting
such large allocations. Sane allocation size would be always less than PAGE_SIZE.
>
>>> That commit failed to explain why a switch to GFP_USER was performed,
>>> so that commit isn't a good substitute for an explanation of this
>>> change.
>>
>> For example, commit 2f77d107050abc14 ("Fix incorrect user space access locking
>> in mincore()") silently converted GFP_KERNEL to GFP_USER.
>>
>> #define GFP_KERNEL (__GFP_RECLAIM | __GFP_IO | __GFP_FS)
>> #define GFP_USER (__GFP_RECLAIM | __GFP_IO | __GFP_FS | __GFP_HARDWALL)
>>
>> * %GFP_KERNEL is typical for kernel-internal allocations. The caller requires
>> * %ZONE_NORMAL or a lower zone for direct access but can direct reclaim.
>>
>> * %GFP_USER is for userspace allocations that also need to be directly
>> * accessibly by the kernel or hardware. It is typically used by hardware
>> * for buffers that are mapped to userspace (e.g. graphics) that hardware
>> * still must DMA to. cpuset limits are enforced for these allocations.
>>
>> * %__GFP_HARDWALL enforces the cpuset memory allocation policy.
>>
>>>
>>> So... please fully describe the reason for this change right here in
>>> this patch's changelog.
>>
>> I guess that GFP_USER is chosen by cautious developers when memory is
>> allocated by userspace request. Is there a guideline for when to use GFP_USER ?
>
> I do not think we have anything better than the above. GFP_USER is
> indeed used for userspace controlable allocations. So they can be a
> subject to a more strict cpu policy. memdup_user_nul looks like a good
> fit for GFP_USER to me. memdup_user and other variant already does this.
>
Hmm, Sabyrzhan already proposed a patch that adds size check to the caller, but it seems
that that patch missed smk_write_ambient()/smk_write_onlycap()/smk_write_unconfined() etc.
Oh, bug-prone approach. Why not handle at memdup_user_nul() side?
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] mm: memdup_user*() should use same gfp flags
2021-01-25 14:20 ` Tetsuo Handa
@ 2021-01-25 15:44 ` Michal Hocko
2021-01-26 11:13 ` Sabyrzhan Tasbolatov
0 siblings, 1 reply; 15+ messages in thread
From: Michal Hocko @ 2021-01-25 15:44 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Andrew Morton, Alexander Viro, linux-mm, Sabyrzhan Tasbolatov
On Mon 25-01-21 23:20:41, Tetsuo Handa wrote:
> On 2021/01/25 22:32, Michal Hocko wrote:
> > On Fri 22-01-21 19:47:42, Tetsuo Handa wrote:
> >> On 2021/01/22 10:35, Andrew Morton wrote:
> >>> On Wed, 20 Jan 2021 19:34:36 +0900 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> >>>
> >>>> syzbot is reporting that memdup_user_nul() which receives user-controlled
> >>>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> >>>> order >= MAX_ORDER path [1].
> >
> > That is nasty!
>
> That's because -EFAULT will not be detected before memory allocation succeeds.
> Fuzzer is passing huge size without corresponding valid buffer.
>
> syscall(__NR_write, r[0], 0x200000c0ul, 0x200000cbul);
>
> >
> >>>> Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
> >>>> ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
> >>>> with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").
> >
> > No, this is papering over a more troubling underlying problem. Userspace
> > shouldn't be able to trigger an aribitrary higher order allocations.
>
> That requires inserting max size checking before calling memdup_user_nul().
> Oh, scattering around such checking is not nice. Add max length argument
> into memdup_user_nul() like strndup_user() ?
Or simply fallback to the vmalloc based memdump* if the size is larger
than the PAGE_SIZE. It seems that the existing API is much more complex
than necessary.
[...]
> > I do not think we have anything better than the above. GFP_USER is
> > indeed used for userspace controlable allocations. So they can be a
> > subject to a more strict cpu policy. memdup_user_nul looks like a good
> > fit for GFP_USER to me. memdup_user and other variant already does this.
> >
>
> Hmm, Sabyrzhan already proposed a patch that adds size check to the caller, but it seems
> that that patch missed smk_write_ambient()/smk_write_onlycap()/smk_write_unconfined() etc.
> Oh, bug-prone approach. Why not handle at memdup_user_nul() side?
I am sorry I do not follow.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] mm: memdup_user*() should use same gfp flags
2021-01-25 15:44 ` Michal Hocko
@ 2021-01-26 11:13 ` Sabyrzhan Tasbolatov
2021-01-27 10:55 ` [PATCH v3] " Tetsuo Handa
0 siblings, 1 reply; 15+ messages in thread
From: Sabyrzhan Tasbolatov @ 2021-01-26 11:13 UTC (permalink / raw)
To: mhocko; +Cc: akpm, linux-mm, penguin-kernel, snovitoll, viro
> > Hmm, Sabyrzhan already proposed a patch that adds size check to the caller, but it seems
> > that that patch missed smk_write_ambient()/smk_write_onlycap()/smk_write_unconfined() etc.
> > Oh, bug-prone approach. Why not handle at memdup_user_nul() side?
> I am sorry I do not follow.
Tetsuo refers to this smackfs patch [1], where I've added a length check before
memdup_user_nul().
There are currently 39 references to this function, where length > PAGE_SIZE - 1
or similar sanity check already presents.
So I can't comment on handling it without __GFP_NOWARN at memdup_user_nul() side.
> > Hmm, Sabyrzhan already proposed a patch that adds size check to the caller, but it seems
> > that that patch missed smk_write_ambient()/smk_write_onlycap()/smk_write_unconfined() etc.
Thanks, I will prepare PATCH v2 with a length check for smk_write_* smackfs
functions in [1] patch set.
[1] https://lore.kernel.org/linux-security-module/20210124143627.582115-1-snovitoll@gmail.com/
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v3] mm: memdup_user*() should use same gfp flags
2021-01-26 11:13 ` Sabyrzhan Tasbolatov
@ 2021-01-27 10:55 ` Tetsuo Handa
2021-01-27 11:59 ` Michal Hocko
0 siblings, 1 reply; 15+ messages in thread
From: Tetsuo Handa @ 2021-01-27 10:55 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-mm, Michal Hocko, Sabyrzhan Tasbolatov, Tetsuo Handa
syzbot is reporting that memdup_user_nul() which receives user-controlled
size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
order >= MAX_ORDER path [1].
Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
should be better than trying to enforce PAGE_SIZE upper limit, for some of
callers accept space-delimited list arguments.
Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
warnings"). Also use GFP_USER as with other userspace-controllable
allocations like memdup_user().
[1] https://syzkaller.appspot.com/bug?id=8bf7efb3db19101b4008dc9198522ef977d098a6
Reported-by: syzbot <syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
mm/util.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/mm/util.c b/mm/util.c
index 8c9b7d1e7c49..265b40a86856 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -252,12 +252,7 @@ void *memdup_user_nul(const void __user *src, size_t len)
{
char *p;
- /*
- * Always use GFP_KERNEL, since copy_from_user() can sleep and
- * cause pagefault, which makes it pointless to use GFP_NOFS
- * or GFP_ATOMIC.
- */
- p = kmalloc_track_caller(len + 1, GFP_KERNEL);
+ p = kmalloc_track_caller(len + 1, GFP_USER | __GFP_NOWARN);
if (!p)
return ERR_PTR(-ENOMEM);
--
2.18.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v3] mm: memdup_user*() should use same gfp flags
2021-01-27 10:55 ` [PATCH v3] " Tetsuo Handa
@ 2021-01-27 11:59 ` Michal Hocko
2021-01-27 12:17 ` Michal Hocko
0 siblings, 1 reply; 15+ messages in thread
From: Michal Hocko @ 2021-01-27 11:59 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: Andrew Morton, linux-mm, Sabyrzhan Tasbolatov
On Wed 27-01-21 19:55:38, Tetsuo Handa wrote:
> syzbot is reporting that memdup_user_nul() which receives user-controlled
> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> order >= MAX_ORDER path [1].
>
> Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
> should be better than trying to enforce PAGE_SIZE upper limit, for some of
> callers accept space-delimited list arguments.
>
> Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
> commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
> warnings"). Also use GFP_USER as with other userspace-controllable
> allocations like memdup_user().
I absolutely detest hiding this behind __GFP_NOWARN. There should be no
reason to even try hard for memdup_user_nul. Can you explain why this
cannot use kvmalloc instead?
> [1] https://syzkaller.appspot.com/bug?id=8bf7efb3db19101b4008dc9198522ef977d098a6
>
> Reported-by: syzbot <syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> mm/util.c | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
>
> diff --git a/mm/util.c b/mm/util.c
> index 8c9b7d1e7c49..265b40a86856 100644
> --- a/mm/util.c
> +++ b/mm/util.c
> @@ -252,12 +252,7 @@ void *memdup_user_nul(const void __user *src, size_t len)
> {
> char *p;
>
> - /*
> - * Always use GFP_KERNEL, since copy_from_user() can sleep and
> - * cause pagefault, which makes it pointless to use GFP_NOFS
> - * or GFP_ATOMIC.
> - */
> - p = kmalloc_track_caller(len + 1, GFP_KERNEL);
> + p = kmalloc_track_caller(len + 1, GFP_USER | __GFP_NOWARN);
> if (!p)
> return ERR_PTR(-ENOMEM);
>
> --
> 2.18.4
>
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v3] mm: memdup_user*() should use same gfp flags
2021-01-27 11:59 ` Michal Hocko
@ 2021-01-27 12:17 ` Michal Hocko
[not found] ` <3e01b180-0a5b-f2aa-6247-1c3bbcabe1ed@i-love.sakura.ne.jp>
0 siblings, 1 reply; 15+ messages in thread
From: Michal Hocko @ 2021-01-27 12:17 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: Andrew Morton, linux-mm, Sabyrzhan Tasbolatov
On Wed 27-01-21 12:59:28, Michal Hocko wrote:
> On Wed 27-01-21 19:55:38, Tetsuo Handa wrote:
> > syzbot is reporting that memdup_user_nul() which receives user-controlled
> > size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> > order >= MAX_ORDER path [1].
> >
> > Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
> > should be better than trying to enforce PAGE_SIZE upper limit, for some of
> > callers accept space-delimited list arguments.
> >
> > Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
> > commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
> > warnings"). Also use GFP_USER as with other userspace-controllable
> > allocations like memdup_user().
>
> I absolutely detest hiding this behind __GFP_NOWARN. There should be no
> reason to even try hard for memdup_user_nul. Can you explain why this
this should have been "try hard to get a physicaly contiguous memory for memdup_user_nul"
> cannot use kvmalloc instead?
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v3] mm: memdup_user*() should use same gfp flags
[not found] ` <3e01b180-0a5b-f2aa-6247-1c3bbcabe1ed@i-love.sakura.ne.jp>
@ 2021-01-27 23:19 ` Andrew Morton
2021-01-27 23:27 ` Casey Schaufler
2021-01-28 8:06 ` Michal Hocko
0 siblings, 2 replies; 15+ messages in thread
From: Andrew Morton @ 2021-01-27 23:19 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Michal Hocko, linux-mm, Sabyrzhan Tasbolatov, Casey Schaufler
On Wed, 27 Jan 2021 23:03:33 +0900 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote:
> On 2021/01/27 21:17, Michal Hocko wrote:
> > On Wed 27-01-21 12:59:28, Michal Hocko wrote:
> >> On Wed 27-01-21 19:55:38, Tetsuo Handa wrote:
> >>> syzbot is reporting that memdup_user_nul() which receives user-controlled
> >>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> >>> order >= MAX_ORDER path [1].
> >>>
> >>> Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
> >>> should be better than trying to enforce PAGE_SIZE upper limit, for some of
> >>> callers accept space-delimited list arguments.
> >>>
> >>> Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
> >>> commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
> >>> warnings"). Also use GFP_USER as with other userspace-controllable
> >>> allocations like memdup_user().
> >>
> >> I absolutely detest hiding this behind __GFP_NOWARN. There should be no
> >> reason to even try hard for memdup_user_nul. Can you explain why this
> >
> > this should have been "try hard to get a physicaly contiguous memory for memdup_user_nul"
> >
> >> cannot use kvmalloc instead?
> >
>
> There is no point with allowing userspace to allocate 2GB of physically non-contiguous
> memory using kvmalloc(). Size is controlled by userspace, and memdup_user_nul() is used
> for allocating temporary memory which will be released before returning to userspace.
>
> Sane userspace processes should allocate only one or a few pages using memdup_user_nul().
> Just making insane user processes (like fuzzer) fail memory allocation requests is a
> reasonable decision.
(cc Casey)
I'd say that the immediate problem is in smk_write_syslog(). Obviously
it was implemented expecting small writes, but the fuzzer is passing it a
huge write and things fall apart.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v3] mm: memdup_user*() should use same gfp flags
2021-01-27 23:19 ` Andrew Morton
@ 2021-01-27 23:27 ` Casey Schaufler
2021-01-28 7:42 ` Tetsuo Handa
2021-01-28 8:06 ` Michal Hocko
1 sibling, 1 reply; 15+ messages in thread
From: Casey Schaufler @ 2021-01-27 23:27 UTC (permalink / raw)
To: Andrew Morton, Tetsuo Handa
Cc: Michal Hocko, linux-mm, Sabyrzhan Tasbolatov, Casey Schaufler
On 1/27/2021 3:19 PM, Andrew Morton wrote:
> On Wed, 27 Jan 2021 23:03:33 +0900 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote:
>
>> On 2021/01/27 21:17, Michal Hocko wrote:
>>> On Wed 27-01-21 12:59:28, Michal Hocko wrote:
>>>> On Wed 27-01-21 19:55:38, Tetsuo Handa wrote:
>>>>> syzbot is reporting that memdup_user_nul() which receives user-controlled
>>>>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
>>>>> order >= MAX_ORDER path [1].
>>>>>
>>>>> Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
>>>>> should be better than trying to enforce PAGE_SIZE upper limit, for some of
>>>>> callers accept space-delimited list arguments.
>>>>>
>>>>> Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
>>>>> commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
>>>>> warnings"). Also use GFP_USER as with other userspace-controllable
>>>>> allocations like memdup_user().
>>>> I absolutely detest hiding this behind __GFP_NOWARN. There should be no
>>>> reason to even try hard for memdup_user_nul. Can you explain why this
>>> this should have been "try hard to get a physicaly contiguous memory for memdup_user_nul"
>>>
>>>> cannot use kvmalloc instead?
>> There is no point with allowing userspace to allocate 2GB of physically non-contiguous
>> memory using kvmalloc(). Size is controlled by userspace, and memdup_user_nul() is used
>> for allocating temporary memory which will be released before returning to userspace.
>>
>> Sane userspace processes should allocate only one or a few pages using memdup_user_nul().
>> Just making insane user processes (like fuzzer) fail memory allocation requests is a
>> reasonable decision.
> (cc Casey)
>
> I'd say that the immediate problem is in smk_write_syslog(). Obviously
> it was implemented expecting small writes, but the fuzzer is passing it a
> huge write and things fall apart.
Yes, Smack should be checking that. Patch is in the works.
I hates fuzzers.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v3] mm: memdup_user*() should use same gfp flags
2021-01-27 23:27 ` Casey Schaufler
@ 2021-01-28 7:42 ` Tetsuo Handa
0 siblings, 0 replies; 15+ messages in thread
From: Tetsuo Handa @ 2021-01-28 7:42 UTC (permalink / raw)
To: Casey Schaufler, Andrew Morton
Cc: Michal Hocko, linux-mm, Sabyrzhan Tasbolatov
On 2021/01/28 8:27, Casey Schaufler wrote:
>>> There is no point with allowing userspace to allocate 2GB of physically non-contiguous
>>> memory using kvmalloc(). Size is controlled by userspace, and memdup_user_nul() is used
>>> for allocating temporary memory which will be released before returning to userspace.
>>>
>>> Sane userspace processes should allocate only one or a few pages using memdup_user_nul().
>>> Just making insane user processes (like fuzzer) fail memory allocation requests is a
>>> reasonable decision.
>> (cc Casey)
>>
>> I'd say that the immediate problem is in smk_write_syslog(). Obviously
>> it was implemented expecting small writes, but the fuzzer is passing it a
>> huge write and things fall apart.
>
> Yes, Smack should be checking that. Patch is in the works.
Caller of memdup_user_nul() is responsible for making sure that size != -1 in order to
avoid integer overflow overlooked by kmalloc(0) != NULL because memdup_user_nul() allocates
size + 1 bytes. And this is automatically made sure for smackfs because vfs_write() makes
sure that size <= (INT_MAX & PAGE_MASK) bytes.
But some legitimate userspace might be already doing "write(fd, buffer, 20000);" for
smk_write_onlycap()/smk_write_relabel_self(). How can you guarantee that introducing
upper limit on the caller side does not break existing userspace tools?
If some caller wants size > 32767 for memdup_user_nul(), it is just a matter of introducing
vmemdup_user_nul(). memdup_user() and memdup_user_nul() had better behave similarly.
There is no reason to use different gfp flags between memdup_user() and memdup_user_nul().
> I hates fuzzers.
A surprising comment from security person. Smack is free to opt out of syzbot testing. :-)
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v3] mm: memdup_user*() should use same gfp flags
2021-01-27 23:19 ` Andrew Morton
2021-01-27 23:27 ` Casey Schaufler
@ 2021-01-28 8:06 ` Michal Hocko
1 sibling, 0 replies; 15+ messages in thread
From: Michal Hocko @ 2021-01-28 8:06 UTC (permalink / raw)
To: Andrew Morton
Cc: Tetsuo Handa, linux-mm, Sabyrzhan Tasbolatov, Casey Schaufler
On Wed 27-01-21 15:19:40, Andrew Morton wrote:
> On Wed, 27 Jan 2021 23:03:33 +0900 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> > On 2021/01/27 21:17, Michal Hocko wrote:
> > > On Wed 27-01-21 12:59:28, Michal Hocko wrote:
> > >> On Wed 27-01-21 19:55:38, Tetsuo Handa wrote:
> > >>> syzbot is reporting that memdup_user_nul() which receives user-controlled
> > >>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> > >>> order >= MAX_ORDER path [1].
> > >>>
> > >>> Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
> > >>> should be better than trying to enforce PAGE_SIZE upper limit, for some of
> > >>> callers accept space-delimited list arguments.
> > >>>
> > >>> Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
> > >>> commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
> > >>> warnings"). Also use GFP_USER as with other userspace-controllable
> > >>> allocations like memdup_user().
> > >>
> > >> I absolutely detest hiding this behind __GFP_NOWARN. There should be no
> > >> reason to even try hard for memdup_user_nul. Can you explain why this
> > >
> > > this should have been "try hard to get a physicaly contiguous memory for memdup_user_nul"
> > >
> > >> cannot use kvmalloc instead?
> > >
> >
> > There is no point with allowing userspace to allocate 2GB of physically non-contiguous
> > memory using kvmalloc(). Size is controlled by userspace, and memdup_user_nul() is used
> > for allocating temporary memory which will be released before returning to userspace.
> >
> > Sane userspace processes should allocate only one or a few pages using memdup_user_nul().
> > Just making insane user processes (like fuzzer) fail memory allocation requests is a
> > reasonable decision.
>
> (cc Casey)
>
> I'd say that the immediate problem is in smk_write_syslog(). Obviously
> it was implemented expecting small writes, but the fuzzer is passing it a
> huge write and things fall apart.
I am not familiar with this particular caller and having a limit check
which suits that particular usage is a reasonable thing to do.
I do argue two things
- using NOWARN to work around potentially buggy callers is just sweeping
the mess under the rug and opens
- these helper functions are to help copy user input and that doesn't
really need physically contiguous pages. This can even become
dangerous as a higher order depleting vector and DoS via OOM in the
worst case.
From that it sounds natural that the helper should be using kvmalloc.
This will not solve a due size check on the caller side but that is not
possible from a generic helper library function anyway. But it will
provide a reasonable allocation policy.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2021-01-28 8:19 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-20 4:18 [PATCH] mm: add __GFP_NOWARN to memdup_user_nul() Tetsuo Handa
2021-01-20 10:34 ` [PATCH v2] mm: memdup_user*() should use same gfp flags Tetsuo Handa
2021-01-22 1:35 ` Andrew Morton
2021-01-22 10:47 ` Tetsuo Handa
2021-01-25 13:32 ` Michal Hocko
2021-01-25 14:20 ` Tetsuo Handa
2021-01-25 15:44 ` Michal Hocko
2021-01-26 11:13 ` Sabyrzhan Tasbolatov
2021-01-27 10:55 ` [PATCH v3] " Tetsuo Handa
2021-01-27 11:59 ` Michal Hocko
2021-01-27 12:17 ` Michal Hocko
[not found] ` <3e01b180-0a5b-f2aa-6247-1c3bbcabe1ed@i-love.sakura.ne.jp>
2021-01-27 23:19 ` Andrew Morton
2021-01-27 23:27 ` Casey Schaufler
2021-01-28 7:42 ` Tetsuo Handa
2021-01-28 8:06 ` Michal Hocko
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.