[BUG 6.4] sched/core: Possible buffer overflow in do_set_cpu_allowed

[BUG 6.4] sched/core: Possible buffer overflow in do_set_cpu_allowed

[Joe Korty]

In commit 9a5418bc48bab ("sched/core: Use kfree_rcu() in
do_set_cpus_allowed()"), a kfree_rcu() is used to free a cpu mask.
However, cpu masks can be as short as 8 bytes and this is a problem,
as kfree_rcu requires the to-be freed buffer to be at least 16 bytes.
Thus there is a chance of buffer overflow corruption when the number of
possible cpus in the system is 64 or less.

I have not seen this corruption in the wild.  I only noticed this possibility
when reviewing the scheduler differences between 6.1 and 6.4.

Regards,
Joe Korty

Re: [BUG 6.4] sched/core: Possible buffer overflow in do_set_cpu_allowed

[Waiman Long]

On 7/7/23 16:28, Joe Korty wrote:
> In commit 9a5418bc48bab ("sched/core: Use kfree_rcu() in
> do_set_cpus_allowed()"), a kfree_rcu() is used to free a cpu mask.
> However, cpu masks can be as short as 8 bytes and this is a problem,
> as kfree_rcu requires the to-be freed buffer to be at least 16 bytes.
> Thus there is a chance of buffer overflow corruption when the number of
> possible cpus in the system is 64 or less.
>
> I have not seen this corruption in the wild.  I only noticed this possibility
> when reviewing the scheduler differences between 6.1 and 6.4.

We were aware of this known limitation. If you look at 
alloc_user_cpus_ptr():

static cpumask_t *alloc_user_cpus_ptr(int node)
{
         /*
          * See do_set_cpus_allowed() above for the rcu_head usage.
          */
         int size = max_t(int, cpumask_size(), sizeof(struct rcu_head));

         return kmalloc_node(size, GFP_KERNEL, node);
}

We made sure that the allocated buffer is big enough to hold struct 
rcu_head.

Cheers,
Longman