From: Bart Van Assche <bvanassche@acm.org>
To: Harshad Shirwadkar <harshadshirwadkar@gmail.com>,
linux-block@vger.kernel.org
Subject: Re: [PATCH] blktrace: put bounds on BLKTRACESETUP buf_size and buf_nr
Date: Thu, 4 Jun 2020 21:31:12 -0700 [thread overview]
Message-ID: <49a4c410-6d42-46b3-adde-1d0a8fc6b594@acm.org> (raw)
In-Reply-To: <20200604054434.216698-1-harshadshirwadkar@gmail.com>
On 2020-06-03 22:44, Harshad Shirwadkar wrote:
> Make sure that user requested memory via BLKTRACESETUP is within
> bounds. This can be easily exploited by setting really large values
> for buf_size and buf_nr in BLKTRACESETUP ioctl.
>
> blktrace program has following hardcoded values for bufsize and bufnr:
> BUF_SIZE=(512 * 1024)
> BUF_NR=(4)
Where is the code that imposes these limits? I haven't found it. Did I
perhaps overlook something?
> diff --git a/include/uapi/linux/blktrace_api.h b/include/uapi/linux/blktrace_api.h
> index 690621b610e5..4d9dc44a83f9 100644
> --- a/include/uapi/linux/blktrace_api.h
> +++ b/include/uapi/linux/blktrace_api.h
> @@ -129,6 +129,9 @@ enum {
> };
>
> #define BLKTRACE_BDEV_SIZE 32
> +#define BLKTRACE_MAX_BUFSIZ (1024 * 1024)
> +#define BLKTRACE_MAX_BUFNR 16
> +#define BLKTRACE_MAX_ALLOC ((BLKTRACE_MAX_BUFNR) * (BLKTRACE_MAX_BUFNR))
Adding these constants to the user space API is a very inflexible
approach. There must be better approaches to export constants like these
to user space, e.g. through sysfs attributes.
It probably will be easier to get a patch like this one upstream if the
uapi headers are not modified.
> /*
> * User setup structure passed with BLKTRACESETUP
> diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
> index ea47f2084087..b3b0a8164c05 100644
> --- a/kernel/trace/blktrace.c
> +++ b/kernel/trace/blktrace.c
> @@ -482,6 +482,9 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
> if (!buts->buf_size || !buts->buf_nr)
> return -EINVAL;
>
> + if (buts->buf_size * buts->buf_nr > BLKTRACE_MAX_ALLOC)
> + return -E2BIG;
> +
> if (!blk_debugfs_root)
> return -ENOENT;
Where do the overflow(s) happen if buts->buf_size and buts->buf_nr are
large? Is the following code from relay_open() the only code that can
overflow?
chan->alloc_size = PAGE_ALIGN(subbuf_size * n_subbufs);
Thanks,
Bart.
next prev parent reply other threads:[~2020-06-05 4:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 5:44 [PATCH] blktrace: put bounds on BLKTRACESETUP buf_size and buf_nr Harshad Shirwadkar
2020-06-04 7:10 ` Chaitanya Kulkarni
2020-06-04 15:26 ` harshad shirwadkar
2020-06-05 4:31 ` Bart Van Assche [this message]
2020-06-05 5:02 ` harshad shirwadkar
2020-06-05 13:43 ` Bart Van Assche
2020-06-05 17:39 ` harshad shirwadkar
2020-06-08 6:42 ` Chaitanya Kulkarni
2020-06-08 6:40 ` Chaitanya Kulkarni
2020-06-08 14:20 ` Bart Van Assche
2020-06-08 21:59 ` Chaitanya Kulkarni
2020-06-08 23:40 ` harshad shirwadkar
2020-06-09 0:00 ` Chaitanya Kulkarni
2020-06-08 6:34 ` Chaitanya Kulkarni
2020-06-08 14:13 ` Bart Van Assche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49a4c410-6d42-46b3-adde-1d0a8fc6b594@acm.org \
--to=bvanassche@acm.org \
--cc=harshadshirwadkar@gmail.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.