| Message ID | 20210201203233.1324704-1-snovitoll@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS | expand |
On Feb 1, 2021, at 12:32 PM, Sabyrzhan Tasbolatov <snovitoll@gmail.com> wrote: > > syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS > control message is passed with user-controlled > 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition. > > The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400. > So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10 > is the closest limit, with 0x10 leftover. > > Same condition is currently done in rds_cmsg_rdma_args(). > > [1] WARNING: mm/page_alloc.c:5011 > [..] > Call Trace: > alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 > alloc_pages include/linux/gfp.h:547 [inline] > kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 > kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 > kmalloc_array include/linux/slab.h:592 [inline] > kcalloc include/linux/slab.h:621 [inline] > rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568 > rds_rm_size net/rds/send.c:928 [inline] > > Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com > Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> > — Looks fine by me. Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Tue, 2 Feb 2021 02:32:33 +0600 you wrote: > syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS > control message is passed with user-controlled > 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition. > > The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400. > So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10 > is the closest limit, with 0x10 leftover. > > [...] Here is the summary with links: - net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS https://git.kernel.org/netdev/net/c/a11148e6fcce You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/rds/rdma.c b/net/rds/rdma.c index 1d0afb1dd77b..6f1a50d50d06 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -565,6 +565,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args, if (args->nr_local == 0) return -EINVAL; + if (args->nr_local > UIO_MAXIOV) + return -EMSGSIZE; + iov->iov = kcalloc(args->nr_local, sizeof(struct rds_iovec), GFP_KERNEL);
syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS control message is passed with user-controlled 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition. The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400. So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10 is the closest limit, with 0x10 leftover. Same condition is currently done in rds_cmsg_rdma_args(). [1] WARNING: mm/page_alloc.c:5011 [..] Call Trace: alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 alloc_pages include/linux/gfp.h:547 [inline] kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 kmalloc_array include/linux/slab.h:592 [inline] kcalloc include/linux/slab.h:621 [inline] rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568 rds_rm_size net/rds/send.c:928 [inline] Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> --- net/rds/rdma.c | 3 +++ 1 file changed, 3 insertions(+)