Patch "mm: don't allow oversized kvmalloc() calls" has been added to the 5.10-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 04 Oct 2021 14:17:48 +0200

This is a note to let you know that I've just added the patch titled

    mm: don't allow oversized kvmalloc() calls

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mm-don-t-allow-oversized-kvmalloc-calls.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 7661809d493b426e979f39ab512e3adf41fbcc69 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Jul 2021 09:45:49 -0700
Subject: mm: don't allow oversized kvmalloc() calls

From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>

commit 7661809d493b426e979f39ab512e3adf41fbcc69 upstream.

'kvmalloc()' is a convenience function for people who want to do a
kmalloc() but fall back on vmalloc() if there aren't enough physically
contiguous pages, or if the allocation is larger than what kmalloc()
supports.

However, let's make sure it doesn't get _too_ easy to do crazy things
with it.  In particular, don't allow big allocations that could be due
to integer overflow or underflow.  So make sure the allocation size fits
in an 'int', to protect against trivial integer conversion issues.

Acked-by: Willy Tarreau <w@xxxxxx>
Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 mm/util.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/mm/util.c
+++ b/mm/util.c
@@ -581,6 +581,10 @@ void *kvmalloc_node(size_t size, gfp_t f
 	if (ret || size <= PAGE_SIZE)
 		return ret;
 
+	/* Don't even allow crazy sizes */
+	if (WARN_ON_ONCE(size > INT_MAX))
+		return NULL;
+
 	return __vmalloc_node(size, 1, flags, node,
 			__builtin_return_address(0));
 }


Patches currently in stable-queue which might be from torvalds@xxxxxxxxxxxxxxxxxxxx are

queue-5.10/netfilter-ipset-fix-oversized-kvmalloc-calls.patch
queue-5.10/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch
queue-5.10/mm-don-t-allow-oversized-kvmalloc-calls.patch






