From: Vegard Nossum <vegard.nossum@oracle.com>
To: Christoph Hellwig <hch@lst.de>
Cc: Kees Cook <keescook@chromium.org>,
Iurii Zaikin <yzaikin@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
linux-kernel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
bpf@vger.kernel.org, Andrey Ignatov <rdna@fb.com>
Subject: Re: WARNING: CPU: 1 PID: 52 at mm/page_alloc.c:4826 __alloc_pages_nodemask (Re: [PATCH 5/5] sysctl: pass kernel pointers to ->proc_handler)
Date: Mon, 8 Jun 2020 09:45:49 +0200 [thread overview]
Message-ID: <c0f216d1-edc1-68e6-7f3e-c00e33452707@oracle.com> (raw)
In-Reply-To: <20200608065120.GA17859@lst.de>
On 2020-06-08 08:51, Christoph Hellwig wrote:
> On Thu, Jun 04, 2020 at 10:22:21PM +0200, Vegard Nossum wrote:
>> It's easy to reproduce by just doing
>>
>> read(open("/proc/sys/vm/swappiness", O_RDONLY), 0, 512UL * 1024 * 1024
>> * 1024);
>>
>> or so. Reverting the commit fixes the issue for me.
>
> Yes, doing giant allocations will fail and trace. We have to options
> here that both seems sensible:
>
> - trunate sysctrl calls to some sensible length
> - (optionally) use vmalloc
>
> Is this a real application or just a test case trying to do the
> stupidmost possible thing?
>
Just a test case.
Allowing the kernel to allocate an unbounded amount of memory on behalf
of userspace is an easy DOS.
All the length checks were already in there, e.g.
static int cmm_timeout_handler(struct ctl_table *ctl, int write,
void __user *buffer, size_t *lenp, loff_t
*ppos)
{
char buf[64], *p;
[...]
len = min(*lenp, sizeof(buf));
if (copy_from_user(buf, buffer, len))
return -EFAULT;
Vegard
next prev parent reply other threads:[~2020-06-08 7:46 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-24 6:43 pass kernel pointers to the sysctl ->proc_handler method v3 Christoph Hellwig
2020-04-24 6:43 ` [PATCH 1/5] bpf-cgroup: remove unused exports Christoph Hellwig
2020-04-27 21:23 ` Daniel Borkmann
2020-04-24 6:43 ` [PATCH 2/5] mm: remove watermark_boost_factor_sysctl_handler Christoph Hellwig
2020-05-04 18:41 ` Kees Cook
2020-04-24 6:43 ` [PATCH 3/5] sysctl: remove all extern declaration from sysctl.c Christoph Hellwig
2020-05-04 1:25 ` Stephen Rothwell
2020-05-04 18:42 ` Kees Cook
2020-04-24 6:43 ` [PATCH 4/5] sysctl: avoid forward declarations Christoph Hellwig
2020-05-04 18:44 ` Kees Cook
2020-04-24 6:43 ` [PATCH 5/5] sysctl: pass kernel pointers to ->proc_handler Christoph Hellwig
2020-04-24 19:06 ` Andrey Ignatov
2020-04-27 5:34 ` Christoph Hellwig
2020-05-04 19:01 ` Kees Cook
2020-05-05 5:57 ` Christoph Hellwig
2020-06-04 20:22 ` WARNING: CPU: 1 PID: 52 at mm/page_alloc.c:4826 __alloc_pages_nodemask (Re: [PATCH 5/5] sysctl: pass kernel pointers to ->proc_handler) Vegard Nossum
2020-06-08 6:51 ` Christoph Hellwig
2020-06-08 7:45 ` Vegard Nossum [this message]
2020-06-08 13:05 ` Christoph Hellwig
2020-06-08 16:40 ` Alexei Starovoitov
2020-06-08 16:49 ` sdf
2020-04-26 15:51 ` pass kernel pointers to the sysctl ->proc_handler method v3 Alexei Starovoitov
2020-04-27 5:35 ` Christoph Hellwig
2020-04-26 15:59 ` Al Viro
2020-04-27 5:36 ` Christoph Hellwig
2020-04-27 7:15 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0f216d1-edc1-68e6-7f3e-c00e33452707@oracle.com \
--to=vegard.nossum@oracle.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=hch@lst.de \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdna@fb.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yzaikin@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.