From: Christian Brauner > Sent: 12 June 2020 19:28 ... > > > if (size < 32) > > > return -EINVAL; > > > if (size > PAGE_SIZE) > > > return -E2BIG; > > > > (Tanget: what was the reason for copy_struct_from_user() not including > > the min/max check? I have a memory of Al objecting to having an > > "internal" limit?) > > Al didn't want the PAGE_SIZE limit in there because there's nothing > inherently wrong with copying insane amounts of memory. The problem is really allowing a user process to allocate unbounded blocks of memory, not the copy itself. The limit for IOW() etc is 16k - not a problem. If a 32bit size is set to just under 4GB so you really want to allocate 4GB of memory then find the request is garbage. Seems like a nice DoS attack. A 64bit size can be worse. Potentially the limit should be in memdup_user() itself. And possibly an extra parameter giving a per-call lower? limit. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)