net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
diff mbox series

Message ID 20210201203233.1324704-1-snovitoll@gmail.com
State Accepted
Commit a11148e6fcce2ae53f47f0a442d098d860b4f7db
Headers show
Series
  • net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
Related show

Commit Message

Sabyrzhan Tasbolatov Feb. 1, 2021, 8:32 p.m. UTC
syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
control message is passed with user-controlled
0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.

The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
is the closest limit, with 0x10 leftover.

Same condition is currently done in rds_cmsg_rdma_args().

[1] WARNING: mm/page_alloc.c:5011
[..]
Call Trace:
 alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
 alloc_pages include/linux/gfp.h:547 [inline]
 kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
 kmalloc_array include/linux/slab.h:592 [inline]
 kcalloc include/linux/slab.h:621 [inline]
 rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
 rds_rm_size net/rds/send.c:928 [inline]

Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
---
 net/rds/rdma.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Santosh Shilimkar Feb. 1, 2021, 8:40 p.m. UTC | #1
On Feb 1, 2021, at 12:32 PM, Sabyrzhan Tasbolatov <snovitoll@gmail.com> wrote:
> 
> syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
> control message is passed with user-controlled
> 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
> 
> The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
> So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
> is the closest limit, with 0x10 leftover.
> 
> Same condition is currently done in rds_cmsg_rdma_args().
> 
> [1] WARNING: mm/page_alloc.c:5011
> [..]
> Call Trace:
> alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
> alloc_pages include/linux/gfp.h:547 [inline]
> kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
> kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
> kmalloc_array include/linux/slab.h:592 [inline]
> kcalloc include/linux/slab.h:621 [inline]
> rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
> rds_rm_size net/rds/send.c:928 [inline]
> 
> Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
> —
Looks fine by me.
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
patchwork-bot+netdevbpf@kernel.org Feb. 2, 2021, 4:50 p.m. UTC | #2
Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Tue,  2 Feb 2021 02:32:33 +0600 you wrote:
> syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
> control message is passed with user-controlled
> 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
> 
> The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
> So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
> is the closest limit, with 0x10 leftover.
> 
> [...]

Here is the summary with links:
  - net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
    https://git.kernel.org/netdev/net/c/a11148e6fcce

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Patch
diff mbox series

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 1d0afb1dd77b..6f1a50d50d06 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -565,6 +565,9 @@  int rds_rdma_extra_size(struct rds_rdma_args *args,
 	if (args->nr_local == 0)
 		return -EINVAL;
 
+	if (args->nr_local > UIO_MAXIOV)
+		return -EMSGSIZE;
+
 	iov->iov = kcalloc(args->nr_local,
 			   sizeof(struct rds_iovec),
 			   GFP_KERNEL);