[PATCH] seq_file: Unconditionally use vmalloc for buffer

[PATCH] seq_file: Unconditionally use vmalloc for buffer

[Kees Cook]

The sysfs interface to seq_file continues to be rather fragile, as seen
with some recent exploits[1]. Move the seq_file buffer to the vmap area
(while retaining the accounting flag), since it has guard pages that
will catch and stop linear overflows. This seems justified given that
seq_file already uses kvmalloc(), that allocations are normally short
lived, and that they are not normally performance critical.

[1] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/seq_file.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/seq_file.c b/fs/seq_file.c
index cb11a34fb871..ad78577d4c2c 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -32,7 +32,7 @@ static void seq_set_overflow(struct seq_file *m)
 
 static void *seq_buf_alloc(unsigned long size)
 {
-	return kvmalloc(size, GFP_KERNEL_ACCOUNT);
+	return __vmalloc(size, GFP_KERNEL_ACCOUNT);
 }
 
 /**
@@ -130,7 +130,7 @@ static int traverse(struct seq_file *m, loff_t offset)
 
 Eoverflow:
 	m->op->stop(m, p);
-	kvfree(m->buf);
+	vfree(m->buf);
 	m->count = 0;
 	m->buf = seq_buf_alloc(m->size <<= 1);
 	return !m->buf ? -ENOMEM : -EAGAIN;
@@ -237,7 +237,7 @@ ssize_t seq_read_iter(struct kiocb *iocb, struct iov_iter *iter)
 			goto Fill;
 		// need a bigger buffer
 		m->op->stop(m, p);
-		kvfree(m->buf);
+		vfree(m->buf);
 		m->count = 0;
 		m->buf = seq_buf_alloc(m->size <<= 1);
 		if (!m->buf)
@@ -349,7 +349,7 @@ EXPORT_SYMBOL(seq_lseek);
 int seq_release(struct inode *inode, struct file *file)
 {
 	struct seq_file *m = file->private_data;
-	kvfree(m->buf);
+	vfree(m->buf);
 	kmem_cache_free(seq_file_cache, m);
 	return 0;
 }
@@ -585,7 +585,7 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
 		return -ENOMEM;
 	ret = single_open(file, show, data);
 	if (ret) {
-		kvfree(buf);
+		vfree(buf);
 		return ret;
 	}
 	((struct seq_file *)file->private_data)->buf = buf;
-- 
2.25.1

Re: [PATCH] seq_file: Unconditionally use vmalloc for buffer

[Greg Kroah-Hartman]

On Fri, Mar 12, 2021 at 12:55:58PM -0800, Kees Cook wrote:
> The sysfs interface to seq_file continues to be rather fragile, as seen
> with some recent exploits[1]. Move the seq_file buffer to the vmap area
> (while retaining the accounting flag), since it has guard pages that
> will catch and stop linear overflows. This seems justified given that
> seq_file already uses kvmalloc(), that allocations are normally short
> lived, and that they are not normally performance critical.
> 
> [1] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  fs/seq_file.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/seq_file.c b/fs/seq_file.c
> index cb11a34fb871..ad78577d4c2c 100644
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -32,7 +32,7 @@ static void seq_set_overflow(struct seq_file *m)
>  
>  static void *seq_buf_alloc(unsigned long size)
>  {
> -	return kvmalloc(size, GFP_KERNEL_ACCOUNT);
> +	return __vmalloc(size, GFP_KERNEL_ACCOUNT);

Maybe a small comment here like:
	/* use vmalloc as it has good bounds checking */
so we know why this is being used instead of kmalloc() or anything else?

Other than that, no objection from me:

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Re: [PATCH] seq_file: Unconditionally use vmalloc for buffer

[Michal Hocko]

On Fri 12-03-21 12:55:58, Kees Cook wrote:
> The sysfs interface to seq_file continues to be rather fragile, as seen
> with some recent exploits[1]. Move the seq_file buffer to the vmap area
> (while retaining the accounting flag), since it has guard pages that
> will catch and stop linear overflows. This seems justified given that
> seq_file already uses kvmalloc(), that allocations are normally short
> lived, and that they are not normally performance critical.

What is the runtime effect of this change? The interface is widely used
for many other interfaces - e.g. in proc. While from the correctness POV
this should be OK (ish for 64b it is definitely problem for kernels with
lowmem and limited vmalloc space). Vmalloc is also to be expected to
regress in performance for small allocations which is the most usual
case.
 
> [1] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  fs/seq_file.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/seq_file.c b/fs/seq_file.c
> index cb11a34fb871..ad78577d4c2c 100644
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -32,7 +32,7 @@ static void seq_set_overflow(struct seq_file *m)
>  
>  static void *seq_buf_alloc(unsigned long size)
>  {
> -	return kvmalloc(size, GFP_KERNEL_ACCOUNT);
> +	return __vmalloc(size, GFP_KERNEL_ACCOUNT);
>  }
>  
>  /**
> @@ -130,7 +130,7 @@ static int traverse(struct seq_file *m, loff_t offset)
>  
>  Eoverflow:
>  	m->op->stop(m, p);
> -	kvfree(m->buf);
> +	vfree(m->buf);
>  	m->count = 0;
>  	m->buf = seq_buf_alloc(m->size <<= 1);
>  	return !m->buf ? -ENOMEM : -EAGAIN;
> @@ -237,7 +237,7 @@ ssize_t seq_read_iter(struct kiocb *iocb, struct iov_iter *iter)
>  			goto Fill;
>  		// need a bigger buffer
>  		m->op->stop(m, p);
> -		kvfree(m->buf);
> +		vfree(m->buf);
>  		m->count = 0;
>  		m->buf = seq_buf_alloc(m->size <<= 1);
>  		if (!m->buf)
> @@ -349,7 +349,7 @@ EXPORT_SYMBOL(seq_lseek);
>  int seq_release(struct inode *inode, struct file *file)
>  {
>  	struct seq_file *m = file->private_data;
> -	kvfree(m->buf);
> +	vfree(m->buf);
>  	kmem_cache_free(seq_file_cache, m);
>  	return 0;
>  }
> @@ -585,7 +585,7 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
>  		return -ENOMEM;
>  	ret = single_open(file, show, data);
>  	if (ret) {
> -		kvfree(buf);
> +		vfree(buf);
>  		return ret;
>  	}
>  	((struct seq_file *)file->private_data)->buf = buf;
> -- 
> 2.25.1

-- 
Michal Hocko
SUSE Labs

Re: [PATCH] seq_file: Unconditionally use vmalloc for buffer

[Kees Cook]

On Mon, Mar 15, 2021 at 09:34:18AM +0100, Michal Hocko wrote:
> On Fri 12-03-21 12:55:58, Kees Cook wrote:
> > The sysfs interface to seq_file continues to be rather fragile, as seen
> > with some recent exploits[1]. Move the seq_file buffer to the vmap area
> > (while retaining the accounting flag), since it has guard pages that
> > will catch and stop linear overflows. This seems justified given that
> > seq_file already uses kvmalloc(), that allocations are normally short
> > lived, and that they are not normally performance critical.
> 
> What is the runtime effect of this change? The interface is widely used

I haven't been able to measure any differences yet, but maybe I lack
imagination about workloads that are heavy on /sys or /proc accesses.

> for many other interfaces - e.g. in proc. While from the correctness POV
> this should be OK (ish for 64b it is definitely problem for kernels with
> lowmem and limited vmalloc space). Vmalloc is also to be expected to
> regress in performance for small allocations which is the most usual
> case.

seq_file's default size is PAGE_SIZE (and just goes up by powers of 2
from there), with the rare (3 callers) exception of single_open_size(),
which for at least 1 case is always >PAGE_SIZE. (I realize PAGE_SIZE may
be considered "small" for vmalloc, but I think gaining the guard page is
worth it, given the recurring flaws we see with at least sysfs handlers.)

-Kees

>  
> > [1] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
> > 
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  fs/seq_file.c | 10 +++++-----
> >  1 file changed, 5 insertions(+), 5 deletions(-)
> > 
> > diff --git a/fs/seq_file.c b/fs/seq_file.c
> > index cb11a34fb871..ad78577d4c2c 100644
> > --- a/fs/seq_file.c
> > +++ b/fs/seq_file.c
> > @@ -32,7 +32,7 @@ static void seq_set_overflow(struct seq_file *m)
> >  
> >  static void *seq_buf_alloc(unsigned long size)
> >  {
> > -	return kvmalloc(size, GFP_KERNEL_ACCOUNT);
> > +	return __vmalloc(size, GFP_KERNEL_ACCOUNT);
> >  }
> >  
> >  /**
> > @@ -130,7 +130,7 @@ static int traverse(struct seq_file *m, loff_t offset)
> >  
> >  Eoverflow:
> >  	m->op->stop(m, p);
> > -	kvfree(m->buf);
> > +	vfree(m->buf);
> >  	m->count = 0;
> >  	m->buf = seq_buf_alloc(m->size <<= 1);
> >  	return !m->buf ? -ENOMEM : -EAGAIN;
> > @@ -237,7 +237,7 @@ ssize_t seq_read_iter(struct kiocb *iocb, struct iov_iter *iter)
> >  			goto Fill;
> >  		// need a bigger buffer
> >  		m->op->stop(m, p);
> > -		kvfree(m->buf);
> > +		vfree(m->buf);
> >  		m->count = 0;
> >  		m->buf = seq_buf_alloc(m->size <<= 1);
> >  		if (!m->buf)
> > @@ -349,7 +349,7 @@ EXPORT_SYMBOL(seq_lseek);
> >  int seq_release(struct inode *inode, struct file *file)
> >  {
> >  	struct seq_file *m = file->private_data;
> > -	kvfree(m->buf);
> > +	vfree(m->buf);
> >  	kmem_cache_free(seq_file_cache, m);
> >  	return 0;
> >  }
> > @@ -585,7 +585,7 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
> >  		return -ENOMEM;
> >  	ret = single_open(file, show, data);
> >  	if (ret) {
> > -		kvfree(buf);
> > +		vfree(buf);
> >  		return ret;
> >  	}
> >  	((struct seq_file *)file->private_data)->buf = buf;
> > -- 
> > 2.25.1
> 
> -- 
> Michal Hocko
> SUSE Labs

-- 
Kees Cook