On Wed, Jun 10, 2020 at 06:33:26PM -0700, Harshad Shirwadkar wrote: > Make sure that user requested memory via BLKTRACESETUP is within > bounds. This can be easily exploited by setting really large values > for buf_size and buf_nr in BLKTRACESETUP ioctl. > > blktrace program has following hardcoded values for bufsize and bufnr: > BUF_SIZE=(512 * 1024) > BUF_NR=(4) > > This is very easy to exploit. Setting buf_size / buf_nr in userspace > program to big values make kernel go oom. > > This patch adds a new new sysfs tunable called "blktrace_max_alloc" > with the default value as: > blktrace_max_alloc=(1024 * 1024 * 16) > > Verified that the fix makes BLKTRACESETUP return -E2BIG if the > buf_size * buf_nr crosses the configured upper bound in the device's > sysfs file. Verified that the bound checking is turned off when we > write 0 to the sysfs file. I don't think the configurability makes any sense. We need to put a hard upper cap on, preferably one that doesn't break widely used userspace. Just pick a reasonable large value to get started.
