On Mon, Mar 15, 2021 at 06:33:10PM +0000, Al Viro wrote: > On Mon, Mar 15, 2021 at 10:48:51AM -0700, Kees Cook wrote: > > The sysfs interface to seq_file continues to be rather fragile, as seen > > with some recent exploits[1]. Move the seq_file buffer to the vmap area > > (while retaining the accounting flag), since it has guard pages that > > will catch and stop linear overflows. This seems justified given that > > seq_file already uses kvmalloc(), is almost always using a PAGE_SIZE or > > larger allocation, has allocations are normally short lived, and is not > > normally on a performance critical path. > > You are attacking the wrong part of it. Is there any reason for having > seq_get_buf() public in the first place? Completely agreed. seq_get_buf() should be totally ripped out. Unfortunately, this is going to be a long road because of sysfs's ATTR stuff, there are something like 5000 callers, and the entire API was designed to avoid refactoring all those callers from sysfs_kf_seq_show(). However, since I also need to entirely rewrite the sysfs vs kobj APIs[1] for CFI, I'm working on a plan to fix it all at once, but based on my experience refactoring the timer struct, it's going to be a very painful and long road. So, in the meantime, I'd like to make this change so we can get bounds checking for free on seq_file (since it's almost always PAGE_SIZE anyway). -Kees [1] https://lore.kernel.org/lkml/202006112217.2E6CE093@keescook/ -- Kees Cook
