* [PATCH] sctp: use GFP_USER for user-controlled kmalloc
[not found] <CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.comc>
@ 2015-11-30 16:32 ` Marcelo Ricardo Leitner
2015-12-01 10:46 ` David Laight
2015-12-03 4:40 ` David Miller
0 siblings, 2 replies; 4+ messages in thread
From: Marcelo Ricardo Leitner @ 2015-11-30 16:32 UTC (permalink / raw)
To: netdev
Cc: linux-sctp, Vlad Yasevich, Neil Horman, daniel, linux-kernel,
davem, syzkaller, dvyukov, kcc, glider, sasha.levin, edumazet
Dmitry Vyukov reported that the user could trigger a kernel warning by
using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
value directly affects the value used as a kmalloc() parameter.
This patch thus switches the allocation flags from all user-controllable
kmalloc size to GFP_USER to put some more restrictions on it and also
disables the warn, as they are not necessary.
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
---
net/sctp/socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 897c01c029cab3d5805cc56b0964c70e06f4143a..676b3bb092e16848fd1c822e1c999af4a2ef198d 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -972,7 +972,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
return -EFAULT;
/* Alloc space for the address array in kernel memory. */
- kaddrs = kmalloc(addrs_size, GFP_KERNEL);
+ kaddrs = kmalloc(addrs_size, GFP_USER | __GFP_NOWARN);
if (unlikely(!kaddrs))
return -ENOMEM;
@@ -4928,7 +4928,7 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len,
to = optval + offsetof(struct sctp_getaddrs, addrs);
space_left = len - offsetof(struct sctp_getaddrs, addrs);
- addrs = kmalloc(space_left, GFP_KERNEL);
+ addrs = kmalloc(space_left, GFP_USER | __GFP_NOWARN);
if (!addrs)
return -ENOMEM;
--
2.5.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: [PATCH] sctp: use GFP_USER for user-controlled kmalloc
2015-11-30 16:32 ` [PATCH] sctp: use GFP_USER for user-controlled kmalloc Marcelo Ricardo Leitner
@ 2015-12-01 10:46 ` David Laight
2015-12-01 11:29 ` Daniel Borkmann
2015-12-03 4:40 ` David Miller
1 sibling, 1 reply; 4+ messages in thread
From: David Laight @ 2015-12-01 10:46 UTC (permalink / raw)
To: 'Marcelo Ricardo Leitner', netdev
Cc: linux-sctp, Vlad Yasevich, Neil Horman, daniel, linux-kernel,
davem, syzkaller, dvyukov, kcc, glider, sasha.levin, edumazet
From: Marcelo Ricardo Leitner
> Sent: 30 November 2015 16:33
> Dmitry Vyukov reported that the user could trigger a kernel warning by
> using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
> value directly affects the value used as a kmalloc() parameter.
>
> This patch thus switches the allocation flags from all user-controllable
> kmalloc size to GFP_USER to put some more restrictions on it and also
> disables the warn, as they are not necessary.
ISTM that the code should put some 'sanity limit' on that
size before allocating the kernel buffer.
David
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] sctp: use GFP_USER for user-controlled kmalloc
2015-12-01 10:46 ` David Laight
@ 2015-12-01 11:29 ` Daniel Borkmann
0 siblings, 0 replies; 4+ messages in thread
From: Daniel Borkmann @ 2015-12-01 11:29 UTC (permalink / raw)
To: David Laight, 'Marcelo Ricardo Leitner', netdev
Cc: linux-sctp, Vlad Yasevich, Neil Horman, linux-kernel, davem,
syzkaller, dvyukov, kcc, glider, sasha.levin, edumazet
On 12/01/2015 11:46 AM, David Laight wrote:
> From: Marcelo Ricardo Leitner
>> Sent: 30 November 2015 16:33
>> Dmitry Vyukov reported that the user could trigger a kernel warning by
>> using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
>> value directly affects the value used as a kmalloc() parameter.
>>
>> This patch thus switches the allocation flags from all user-controllable
>> kmalloc size to GFP_USER to put some more restrictions on it and also
>> disables the warn, as they are not necessary.
>
> ISTM that the code should put some 'sanity limit' on that
> size before allocating the kernel buffer.
One could do that in addition, but this buffer has just a short lifetime
and by using GFP_USER hardwall restrictions apply already.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] sctp: use GFP_USER for user-controlled kmalloc
2015-11-30 16:32 ` [PATCH] sctp: use GFP_USER for user-controlled kmalloc Marcelo Ricardo Leitner
2015-12-01 10:46 ` David Laight
@ 2015-12-03 4:40 ` David Miller
1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2015-12-03 4:40 UTC (permalink / raw)
To: marcelo.leitner
Cc: netdev, linux-sctp, vyasevich, nhorman, daniel, linux-kernel,
syzkaller, dvyukov, kcc, glider, sasha.levin, edumazet
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date: Mon, 30 Nov 2015 14:32:54 -0200
> Dmitry Vyukov reported that the user could trigger a kernel warning by
> using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
> value directly affects the value used as a kmalloc() parameter.
>
> This patch thus switches the allocation flags from all user-controllable
> kmalloc size to GFP_USER to put some more restrictions on it and also
> disables the warn, as they are not necessary.
>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Applied.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-12-03 4:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.comc>
2015-11-30 16:32 ` [PATCH] sctp: use GFP_USER for user-controlled kmalloc Marcelo Ricardo Leitner
2015-12-01 10:46 ` David Laight
2015-12-01 11:29 ` Daniel Borkmann
2015-12-03 4:40 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).