From: Stefan Hajnoczi <stefanha@redhat.com>
To: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: axboe@kernel.dk, martin.petersen@oracle.com, hare@suse.de,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+660d079d90f8a1baf54d@syzkaller.appspotmail.com
Subject: Re: [PATCH v3] block: add allocation size check in blkdev_pr_read_keys()
Date: Wed, 17 Dec 2025 09:05:13 -0500 [thread overview]
Message-ID: <20251217140513.GA43988@fedora> (raw)
In-Reply-To: <20251217014712.35771-1-kartikey406@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1682 bytes --]
On Wed, Dec 17, 2025 at 07:17:12AM +0530, Deepanshu Kartikey wrote:
> blkdev_pr_read_keys() takes num_keys from userspace and uses it to
> calculate the allocation size for keys_info via struct_size(). While
> there is a check for SIZE_MAX (integer overflow), there is no upper
> bound validation on the allocation size itself.
>
> A malicious or buggy userspace can pass a large num_keys value that
> doesn't trigger overflow but still results in an excessive allocation
> attempt, causing a warning in the page allocator when the order exceeds
> MAX_PAGE_ORDER.
>
> Fix this by introducing PR_KEYS_MAX to limit the number of keys to
> a sane value. This makes the SIZE_MAX check redundant, so remove it.
> Also switch to kvzalloc/kvfree to handle larger allocations gracefully.
>
> Fixes: 22a1ffea5f80 ("block: add IOC_PR_READ_KEYS ioctl")
> Tested-by: syzbot+660d079d90f8a1baf54d@syzkaller.appspotmail.com
> Reported-by: syzbot+660d079d90f8a1baf54d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=660d079d90f8a1baf54d
> Link: https://lore.kernel.org/all/20251212013510.3576091-1-kartikey406@gmail.com/T/ [v1]
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
> v3:
> - Renamed PR_KEYS_MAX_NUM to PR_KEYS_MAX
> - Moved define to include/uapi/linux/pr.h
> v2:
> - Added PR_KEYS_MAX_NUM (64K) limit instead of checking KMALLOC_MAX_SIZE
> - Removed redundant SIZE_MAX check
> - Switched to kvzalloc/kvfree
> ---
> block/ioctl.c | 9 +++++----
> include/uapi/linux/pr.h | 2 ++
> 2 files changed, 7 insertions(+), 4 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2025-12-17 14:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-17 1:47 [PATCH v3] block: add allocation size check in blkdev_pr_read_keys() Deepanshu Kartikey
2025-12-17 14:05 ` Stefan Hajnoczi [this message]
2025-12-17 14:12 ` Martin K. Petersen
2025-12-17 14:36 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251217140513.GA43988@fedora \
--to=stefanha@redhat.com \
--cc=axboe@kernel.dk \
--cc=hare@suse.de \
--cc=kartikey406@gmail.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=syzbot+660d079d90f8a1baf54d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox