On 1/27/2021 3:19 PM, Andrew Morton wrote:
> On Wed, 27 Jan 2021 23:03:33 +0900 Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>
>> On 2021/01/27 21:17, Michal Hocko wrote:
>>> On Wed 27-01-21 12:59:28, Michal Hocko wrote:
>>>> On Wed 27-01-21 19:55:38, Tetsuo Handa wrote:
>>>>> syzbot is reporting that memdup_user_nul() which receives user-controlled
>>>>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
>>>>> order >= MAX_ORDER path [1].
>>>>>
>>>>> Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
>>>>> should be better than trying to enforce PAGE_SIZE upper limit, for some of
>>>>> callers accept space-delimited list arguments.
>>>>>
>>>>> Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
>>>>> commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
>>>>> warnings"). Also use GFP_USER as with other userspace-controllable
>>>>> allocations like memdup_user().
>>>> I absolutely detest hiding this behind __GFP_NOWARN. There should be no
>>>> reason to even try hard for memdup_user_nul. Can you explain why this
>>> this should have been "try hard to get a physicaly contiguous memory for memdup_user_nul"
>>>
>>>> cannot use kvmalloc instead?
>> There is no point with allowing userspace to allocate 2GB of physically non-contiguous
>> memory using kvmalloc(). Size is controlled by userspace, and memdup_user_nul() is used
>> for allocating temporary memory which will be released before returning to userspace.
>>
>> Sane userspace processes should allocate only one or a few pages using memdup_user_nul().
>> Just making insane user processes (like fuzzer) fail memory allocation requests is a
>> reasonable decision.
> (cc Casey)
>
> I'd say that the immediate problem is in smk_write_syslog(). Obviously
> it was implemented expecting small writes, but the fuzzer is passing it a
> huge write and things fall apart.
Yes, Smack should be checking that. Patch is in the works.
I hates fuzzers.
