From: Michal Hocko <mhocko@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, LKML <linux-kernel@vger.kernel.org>,
Michal Hocko <mhocko@suse.com>, Kees Cook <keescook@chromium.org>,
Vlastimil Babka <vbabka@suse.cz>
Subject: [PATCH 5/9] xattr: zero out memory copied to userspace in getxattr
Date: Mon, 6 Mar 2017 11:33:23 +0100 [thread overview]
Message-ID: <20170306103327.2766-1-mhocko@kernel.org> (raw)
In-Reply-To: <20170306103032.2540-1-mhocko@kernel.org>
From: Michal Hocko <mhocko@suse.com>
getxattr uses vmalloc to allocate memory if kzalloc fails. This is
filled by vfs_getxattr and then copied to the userspace. vmalloc,
however, doesn't zero out the memory so if the specific implementation
of the xattr handler is sloppy we can theoretically expose a kernel
memory. There is no real sign this is really the case but let's make
sure this will not happen and use vzalloc instead.
Fixes: 779302e67835 ("fs/xattr.c:getxattr(): improve handling of allocation failures")
Cc: stable # 3.6+
Acked-by: Kees Cook <keescook@chromium.org>
Spotted-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Michal Hocko <mhocko@suse.com>
---
fs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 7e3317cf4045..94f49a082dd2 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -530,7 +530,7 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
size = XATTR_SIZE_MAX;
kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
if (!kvalue) {
- kvalue = vmalloc(size);
+ kvalue = vzalloc(size);
if (!kvalue)
return -ENOMEM;
}
--
2.11.0
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Michal Hocko <mhocko@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>,
Michal Hocko <mhocko@suse.com>, Kees Cook <keescook@chromium.org>,
Vlastimil Babka <vbabka@suse.cz>
Subject: [PATCH 5/9] xattr: zero out memory copied to userspace in getxattr
Date: Mon, 6 Mar 2017 11:33:23 +0100 [thread overview]
Message-ID: <20170306103327.2766-1-mhocko@kernel.org> (raw)
In-Reply-To: <20170306103032.2540-1-mhocko@kernel.org>
From: Michal Hocko <mhocko@suse.com>
getxattr uses vmalloc to allocate memory if kzalloc fails. This is
filled by vfs_getxattr and then copied to the userspace. vmalloc,
however, doesn't zero out the memory so if the specific implementation
of the xattr handler is sloppy we can theoretically expose a kernel
memory. There is no real sign this is really the case but let's make
sure this will not happen and use vzalloc instead.
Fixes: 779302e67835 ("fs/xattr.c:getxattr(): improve handling of allocation failures")
Cc: stable # 3.6+
Acked-by: Kees Cook <keescook@chromium.org>
Spotted-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Michal Hocko <mhocko@suse.com>
---
fs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 7e3317cf4045..94f49a082dd2 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -530,7 +530,7 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
size = XATTR_SIZE_MAX;
kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
if (!kvalue) {
- kvalue = vmalloc(size);
+ kvalue = vzalloc(size);
if (!kvalue)
return -ENOMEM;
}
--
2.11.0
next prev parent reply other threads:[~2017-03-06 10:33 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-06 10:30 [PATCH 0/6 v5] kvmalloc Michal Hocko
2017-03-06 10:30 ` Michal Hocko
2017-03-06 10:30 ` [PATCH 1/9] mm: introduce kv[mz]alloc helpers Michal Hocko
2017-03-06 10:30 ` Michal Hocko
2017-06-02 7:17 ` Levin, Alexander (Sasha Levin)
2017-06-02 7:17 ` Levin, Alexander (Sasha Levin)
2017-06-02 7:28 ` Michal Hocko
2017-06-02 7:28 ` Michal Hocko
2017-06-02 7:40 ` Levin, Alexander (Sasha Levin)
2017-06-02 7:40 ` Levin, Alexander (Sasha Levin)
2017-06-02 7:50 ` Michal Hocko
2017-06-02 7:50 ` Michal Hocko
2017-03-06 10:30 ` [PATCH 2/9] mm: support __GFP_REPEAT in kvmalloc_node for >32kB Michal Hocko
2017-03-06 10:30 ` Michal Hocko
2017-04-07 0:45 ` Shakeel Butt
2017-04-07 0:45 ` Shakeel Butt
2017-04-07 7:40 ` Michal Hocko
2017-04-07 7:40 ` Michal Hocko
2017-03-06 10:30 ` [PATCH 3/9] rhashtable: simplify a strange allocation pattern Michal Hocko
2017-03-06 10:30 ` Michal Hocko
2017-03-06 10:30 ` [PATCH 4/9] ila: " Michal Hocko
2017-03-06 10:30 ` Michal Hocko
2017-03-06 10:33 ` Michal Hocko [this message]
2017-03-06 10:33 ` [PATCH 5/9] xattr: zero out memory copied to userspace in getxattr Michal Hocko
2017-03-06 10:33 ` [PATCH 6/9] treewide: use kv[mz]alloc* rather than opencoded variants Michal Hocko
2017-03-06 10:33 ` Michal Hocko
2017-03-06 10:33 ` [PATCH 7/9] net: use kvmalloc with __GFP_REPEAT rather than open coded variant Michal Hocko
2017-03-06 10:33 ` Michal Hocko
2017-03-30 23:21 ` Shakeel Butt
2017-03-30 23:21 ` Shakeel Butt
2017-03-31 8:46 ` Michal Hocko
2017-03-31 8:46 ` Michal Hocko
2017-03-06 10:33 ` [PATCH 8/9] md: use kvmalloc rather than opencoded variant Michal Hocko
2017-03-06 10:33 ` Michal Hocko
2017-03-06 10:33 ` [PATCH 9/9] bcache: use kvmalloc Michal Hocko
2017-03-06 10:33 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170306103327.2766-1-mhocko@kernel.org \
--to=mhocko@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.