From: Daniel Borkmann <daniel@iogearbox.net>
To: David Laight <David.Laight@ACULAB.COM>,
'Marcelo Ricardo Leitner' <marcelo.leitner@gmail.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Cc: "linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"syzkaller@googlegroups.com" <syzkaller@googlegroups.com>,
"dvyukov@google.com" <dvyukov@google.com>,
"kcc@google.com" <kcc@google.com>,
"glider@google.com" <glider@google.com>,
"sasha.levin@oracle.com" <sasha.levin@oracle.com>,
"edumazet@google.com" <edumazet@google.com>
Subject: Re: [PATCH] sctp: use GFP_USER for user-controlled kmalloc
Date: Tue, 01 Dec 2015 11:29:40 +0000 [thread overview]
Message-ID: <565D84A4.3080408@iogearbox.net> (raw)
In-Reply-To: <063D6719AE5E284EB5DD2968C1650D6D1CBDF85D@AcuExch.aculab.com>
On 12/01/2015 11:46 AM, David Laight wrote:
> From: Marcelo Ricardo Leitner
>> Sent: 30 November 2015 16:33
>> Dmitry Vyukov reported that the user could trigger a kernel warning by
>> using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
>> value directly affects the value used as a kmalloc() parameter.
>>
>> This patch thus switches the allocation flags from all user-controllable
>> kmalloc size to GFP_USER to put some more restrictions on it and also
>> disables the warn, as they are not necessary.
>
> ISTM that the code should put some 'sanity limit' on that
> size before allocating the kernel buffer.
One could do that in addition, but this buffer has just a short lifetime
and by using GFP_USER hardwall restrictions apply already.
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Borkmann <daniel@iogearbox.net>
To: David Laight <David.Laight@ACULAB.COM>,
"'Marcelo Ricardo Leitner'" <marcelo.leitner@gmail.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Cc: "linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"syzkaller@googlegroups.com" <syzkaller@googlegroups.com>,
"dvyukov@google.com" <dvyukov@google.com>,
"kcc@google.com" <kcc@google.com>,
"glider@google.com" <glider@google.com>,
"sasha.levin@oracle.com" <sasha.levin@oracle.com>,
"edumazet@google.com" <edumazet@google.com>
Subject: Re: [PATCH] sctp: use GFP_USER for user-controlled kmalloc
Date: Tue, 01 Dec 2015 12:29:40 +0100 [thread overview]
Message-ID: <565D84A4.3080408@iogearbox.net> (raw)
In-Reply-To: <063D6719AE5E284EB5DD2968C1650D6D1CBDF85D@AcuExch.aculab.com>
On 12/01/2015 11:46 AM, David Laight wrote:
> From: Marcelo Ricardo Leitner
>> Sent: 30 November 2015 16:33
>> Dmitry Vyukov reported that the user could trigger a kernel warning by
>> using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
>> value directly affects the value used as a kmalloc() parameter.
>>
>> This patch thus switches the allocation flags from all user-controllable
>> kmalloc size to GFP_USER to put some more restrictions on it and also
>> disables the warn, as they are not necessary.
>
> ISTM that the code should put some 'sanity limit' on that
> size before allocating the kernel buffer.
One could do that in addition, but this buffer has just a short lifetime
and by using GFP_USER hardwall restrictions apply already.
next prev parent reply other threads:[~2015-12-01 11:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.comc>
2015-11-30 16:32 ` [PATCH] sctp: use GFP_USER for user-controlled kmalloc Marcelo Ricardo Leitner
2015-11-30 16:32 ` Marcelo Ricardo Leitner
2015-12-01 10:46 ` David Laight
2015-12-01 10:46 ` David Laight
2015-12-01 11:29 ` Daniel Borkmann [this message]
2015-12-01 11:29 ` Daniel Borkmann
2015-12-03 4:40 ` David Miller
2015-12-03 4:40 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565D84A4.3080408@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=David.Laight@ACULAB.COM \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.