From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=If0M=MO=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8A726C6377B
	for <linux-mm@archiver.kernel.org>; Thu, 22 Jul 2021 00:15:20 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 9692861249
	for <linux-mm@archiver.kernel.org>; Thu, 22 Jul 2021 00:15:19 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9692861249
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id CCFCF6B0036; Wed, 21 Jul 2021 20:15:18 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C7FBF6B005D; Wed, 21 Jul 2021 20:15:18 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B95806B006C; Wed, 21 Jul 2021 20:15:18 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0143.hostedemail.com [216.40.44.143])
	by kanga.kvack.org (Postfix) with ESMTP id 9DA4C6B0036
	for <linux-mm@kvack.org>; Wed, 21 Jul 2021 20:15:18 -0400 (EDT)
Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 452DF8248076
	for <linux-mm@kvack.org>; Thu, 22 Jul 2021 00:15:18 +0000 (UTC)
X-FDA: 78388304316.21.405CE97
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	by imf25.hostedemail.com (Postfix) with ESMTP id 4A897B01CF18
	for <linux-mm@kvack.org>; Thu, 22 Jul 2021 00:15:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version:
	References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description;
	bh=JlC7x4HHDcOKXJYHkjPYWZJQfgICJvrDTgByLHtxKD8=; b=CIgPBTORGNndgMQ80q6kGI77rm
	WoNQINcAfsU2DnAI6JmbJNvDcj1Ov4uh2HKB8nWXwbEtb+2YGNkUaGyRZ1WzKG4v1ypHvpMhtk3xD
	8P6UKuiElHOOm/2U6ymEahBCkbLGFlX8+12cRcrjTUQhdBUkgJuFwITT6cneOeY90kTiV7SnYC9Cl
	2FaFXvRbxckywvrtZb1Hemd5JiamMf0JEhPu00XmDivzfz5wUMc0yj9qYQ4jyYOdABR5Cj1qZpAP6
	L99VoK5rop2NnFiD1LB6ujQCRTXttHXmyVxWjqi4U+GgT7Gou5ZxeIfVTgik8ksfTQVSUJID5q6YP
	VqbtGFIQ==;
Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux))
	id 1m6MM9-009jO8-HH; Thu, 22 Jul 2021 00:14:44 +0000
Date: Thu, 22 Jul 2021 01:14:29 +0100
From: Matthew Wilcox <willy@infradead.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
	Qualys Security Advisory <qsa@qualys.com>,
	Eric Sandeen <sandeen@redhat.com>, Linux-MM <linux-mm@kvack.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: Make kvmalloc refuse to allocate more than 2GB
Message-ID: <YPi4ZWzoKUvkJMJG@casper.infradead.org>
References: <20210721184131.2264356-1-willy@infradead.org>
 <CAHk-=wjOZQ1yvG+FvP-sDgGaDzmXoxC7KjDMUerw_Z2QYyAHmA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHk-=wjOZQ1yvG+FvP-sDgGaDzmXoxC7KjDMUerw_Z2QYyAHmA@mail.gmail.com>
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 4A897B01CF18
X-Stat-Signature: 5xbyppaa7sd3gzcyipksq7fyoh14xydi
Authentication-Results: imf25.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=CIgPBTOR;
	dmarc=none;
	spf=none (imf25.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org
X-HE-Tag: 1626912917-299733
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Jul 21, 2021 at 01:46:09PM -0700, Linus Torvalds wrote:
> On Wed, Jul 21, 2021 at 11:42 AM Matthew Wilcox (Oracle)
> <willy@infradead.org> wrote:
> >
> > It's generally dangerous to allocate such large quantities of memory
> > within the kernel owing to our propensity to use 'int' to represent
> > a length.  If somebody really needs it, we can add a kvmalloc_large()
> > later, but let's default to "You can't allocate that much memory".
> 
> I really think that without the WARN_ON_ONCE(), this is just moving
> that failure point from a known good place ("we know this must not
> succeed") to a possibly bad place ("this might cause silent and
> hard-to-understand failures elsewhere").

To a certain extent, yes.  On the other hand, if you don't have any
error handling on your kvmalloc of 2GB, Qualys seems to have a reliable
way to run you out of vmalloc space, and that's going to get exercised.

My initial thought was to leverage the existing __GFP_NOWARN code:

        if (size > PAGE_SIZE) {
-               kmalloc_flags |= __GFP_NOWARN;
+               if (size <= INT_MAX)
+                       kmalloc_flags |= __GFP_NOWARN;

because that dumps some interesting information (ratelimited), which
might help the sysadmin realise they're under attack.  A WARN_ON_ONCE
is one-and-done, so an attacker can hide their tracks.  Unfortunately,
we actually bail out before getting there:

        if (unlikely(order >= MAX_ORDER)) {
                WARN_ON_ONCE(!(gfp & __GFP_NOWARN));
                return NULL;
        }

... maybe that should call warn_alloc() too.

So I'm now thinking (relative to the earlier patch):

-       if (size > INT_MAX)
+       if (size > INT_MAX) {
+               warn_alloc(flags, NULL, "oversized allocation:%zu", size);
                return NULL;
+       }