On Thu, Apr 01, 2021 at 03:13:20PM -0700, Kees Cook wrote: > The sysfs interface to seq_file continues to be rather fragile > (seq_get_buf() should not be used outside of seq_file), as seen with > some recent exploits[1]. Move the seq_file buffer to the vmap area > (while retaining the accounting flag), since it has guard pages that will > catch and stop linear overflows. This seems justified given that sysfs's > use of seq_file almost always already uses PAGE_SIZE allocations, has > normally short-lived allocations, and is not normally on a performance > critical path. This looks completely weird to me. In the end sysfs uses nothing of the seq_file infrastructure, so why do we even pretend to use it? Just switch sysfs_file_kfops_ro and sysfs_file_kfops_rw from using ->seq_show to ->read and do the vmalloc there instead of pretending this is a seq_file. > Once seq_get_buf() has been removed (and all sysfs callbacks using > seq_file directly), this change can also be removed. And with sysfs out of the way I think kiling off the other few users should be pretty easy as well.
