* [PATCH] dlm: check the maximum size of a request from user
@ 2012-09-09 14:16 Sasha Levin
2012-09-10 15:43 ` David Teigland
0 siblings, 1 reply; 2+ messages in thread
From: Sasha Levin @ 2012-09-09 14:16 UTC (permalink / raw)
To: ccaulfie, teigland; +Cc: cluster-devel, linux-kernel, davej, Sasha Levin
device_write only checks whether the request size is big enough, but it doesn't
check if the size is too big.
At that point, it also tries to allocate as much memory as the user has requested
even if it's too much. This can lead to OOM killer kicking in, or memory corruption
if (count + 1) overflows.
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
---
fs/dlm/user.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index eb4ed9b..7ff4985 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -503,6 +503,13 @@ static ssize_t device_write(struct file *file, const char __user *buf,
#endif
return -EINVAL;
+#ifdef CONFIG_COMPAT
+ if (count > sizeof(struct dlm_write_request32) + DLM_RESNAME_MAXLEN)
+#else
+ if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
+#endif
+ return -EINVAL;
+
kbuf = kzalloc(count + 1, GFP_NOFS);
if (!kbuf)
return -ENOMEM;
--
1.7.12
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] dlm: check the maximum size of a request from user
2012-09-09 14:16 [PATCH] dlm: check the maximum size of a request from user Sasha Levin
@ 2012-09-10 15:43 ` David Teigland
0 siblings, 0 replies; 2+ messages in thread
From: David Teigland @ 2012-09-10 15:43 UTC (permalink / raw)
To: Sasha Levin; +Cc: ccaulfie, cluster-devel, linux-kernel, davej
On Sun, Sep 09, 2012 at 04:16:58PM +0200, Sasha Levin wrote:
> device_write only checks whether the request size is big enough, but it doesn't
> check if the size is too big.
>
> At that point, it also tries to allocate as much memory as the user has requested
> even if it's too much. This can lead to OOM killer kicking in, or memory corruption
> if (count + 1) overflows.
thanks, pushed to next
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-09-10 15:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-09-09 14:16 [PATCH] dlm: check the maximum size of a request from user Sasha Levin
2012-09-10 15:43 ` David Teigland
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).