Re: [LInux Kernel Crash] "WARNING: kmalloc bug in ctl_ioctl"

[Mikulas Patocka <mpatocka@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1717 bytes --]



On Sat, 16 Dec 2023, Greg KH wrote:

> On Fri, Dec 15, 2023 at 09:47:17PM +0000, Yang, Chenyuan wrote:
> > Hello Linux Kernel community,
> > 
> > We encountered a crash bug when testing the driver implemented in 
> > `drivers/md/dm-ioctl.c` by using Syzkaller. Notably, we generate the 
> > spec for this driver by ourselves and Syzkaller doesn’t have 
> > specification for it.
> > 
> > Based on our understanding, this bug is caused by `dmi = 
> > kvmalloc(param_kernel->data_size, GFP_NOIO | __GFP_HIGH);` in ` 
> > drivers/md/dm-ioctl.c` 
> > (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-ioctl.c#L1966), 
> > which `kvmalloc` a size more than INT_MAX.
> > 
> > A possible patch is to have a more strict check for the 
> > `param_kernel->data_size` in `copy_params` before calling `kvmalloc` 
> > while currently it only checks minimal size 
> > (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-ioctl.c#L1944).
> 
> Great, submit a patch based on this and see if it solves the issue you
> reported!
> 
> thanks,
> 
> greg k-h

Hi

I'd like to ask - what is the proper way of fixing these types of reports? 
(in this case, there is no overflow, and in the other case, there is 
kvcalloc that alrady checks for overflow). The offending ioctl can only be 
called by root - so there is no security danger.

Should we add the INT_MAX test before every kvmalloc call? (but repeating 
the same piece of code is anti-pattern).

Should we use __GFP_NOWARN? (but this would shut up also genuine 
warnings).

Should the warning be dropped from kvmalloc?

Should we do nothing because only root can trigger the warning?

Mikulas