[PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow

public inbox for linux-fsdevel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow
@ 2026-04-13  6:06 Wang Haoran
  2026-04-14  8:18 ` Christoph Hellwig
  2026-04-14  9:46 ` Christian Brauner
  0 siblings, 2 replies; 3+ messages in thread
From: Wang Haoran @ 2026-04-13  6:06 UTC (permalink / raw)
  To: viro, akpm; +Cc: linux-block, linux-fsdevel, linux-kernel, Wang Haoran

While auditing the Linux 7.0-rc2 kernel, I identified a potential security
vulnerability in the iov_iter framework's memory allocation logic.

The dup_iter() function, which is exported via EXPORT_SYMBOL, currently
uses kmemdup() with a raw multiplication to allocate the duplicate iovec array:

new->iov = kmemdup(from->iov, nr_segs * sizeof(struct iovec), gfp);

The hazard here is that dup_iter() relies on a primitive multiplication without
any integrated overflow check. Since nr_segs is often derived from user-space
input, this line is vulnerable to integer overflow (on 32-bit systems or
via type narrowing), potentially leading to a small allocation followed by a
large out-of-bounds memory copy. Furthermore, it allows for unbounded memory
allocations, as the function lacks intrinsic knowledge of safe limits.

On the 7.0-rc2 branch, several high-impact callchains still rely on this
exported function:

drivers/usb/gadget/function/f_fs.c:
The ffs_epfile_read_iter() path demonstrates why relying on dup_iter() is
dangerous: it performs allocation based on user input before verifying driver
state. This confirms that dup_iter() must be hardened internally as it cannot
assume pre-validated input.

drivers/usb/gadget/legacy/inode.c:
The ep_read_iter() path illustrates how dup_iter()’s lack of boundary awareness
compounds resource risks. When combined with other allocations, it creates
a multiplier effect for kernel memory pressure.

This patch replaces kmemdup() with kmemdup_array(), which utilizes
check_mul_overflow() to ensure the allocation size is calculated safely,
hardening dup_iter() against malicious or malformed inputs from its callers

Signed-off-by: Wang Haoran <haoranwangsec@gmail.com>
---
 lib/iov_iter.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 0a63c7fba..63aa8b6e3 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1224,13 +1224,13 @@ const void *dup_iter(struct iov_iter *new, struct iov_iter *old, gfp_t flags)
 {
 	*new = *old;
 	if (iov_iter_is_bvec(new))
-		return new->bvec = kmemdup(new->bvec,
-				    new->nr_segs * sizeof(struct bio_vec),
+		return new->bvec = kmemdup_array(new->bvec,
+				    new->nr_segs, sizeof(struct bio_vec),
 				    flags);
 	else if (iov_iter_is_kvec(new) || iter_is_iovec(new))
 		/* iovec and kvec have identical layout */
-		return new->__iov = kmemdup(new->__iov,
-				   new->nr_segs * sizeof(struct iovec),
+		return new->__iov = kmemdup_array(new->__iov,
+				   new->nr_segs, sizeof(struct iovec),
 				   flags);
 	return NULL;
 }
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow
  2026-04-13  6:06 [PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow Wang Haoran
@ 2026-04-14  8:18 ` Christoph Hellwig
  2026-04-14  9:46 ` Christian Brauner
  1 sibling, 0 replies; 3+ messages in thread
From: Christoph Hellwig @ 2026-04-14  8:18 UTC (permalink / raw)
  To: Wang Haoran; +Cc: viro, akpm, linux-block, linux-fsdevel, linux-kernel

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow
  2026-04-13  6:06 [PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow Wang Haoran
  2026-04-14  8:18 ` Christoph Hellwig
@ 2026-04-14  9:46 ` Christian Brauner
  1 sibling, 0 replies; 3+ messages in thread
From: Christian Brauner @ 2026-04-14  9:46 UTC (permalink / raw)
  To: Wang Haoran
  Cc: Christian Brauner, linux-block, linux-fsdevel, linux-kernel, viro,
	akpm

On Mon, 13 Apr 2026 14:06:55 +0800, Wang Haoran wrote:
> While auditing the Linux 7.0-rc2 kernel, I identified a potential security
> vulnerability in the iov_iter framework's memory allocation logic.
> 
> The dup_iter() function, which is exported via EXPORT_SYMBOL, currently
> uses kmemdup() with a raw multiplication to allocate the duplicate iovec array:
> 
> new->iov = kmemdup(from->iov, nr_segs * sizeof(struct iovec), gfp);
> 
> [...]

Applied to the vfs-7.2.misc branch of the vfs/vfs.git tree.
Patches in the vfs-7.2.misc branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-7.2.misc

[1/1] iov_iter: use kmemdup_array for dup_iter to harden against overflow
      https://git.kernel.org/vfs/vfs/c/ea5efcc5c589

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-14  9:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13  6:06 [PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow Wang Haoran
2026-04-14  8:18 ` Christoph Hellwig
2026-04-14  9:46 ` Christian Brauner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox