On Tue, Oct 17, 2017 at 03:36:10PM +0100, Ben Hutchings wrote: > On Mon, 2017-10-09 at 13:31 +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > [...] > > From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > > > commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream. > > > > The user buffer has "uurb->buffer_length" bytes. If the kernel has more > > information than that, we should truncate it instead of writing past > > the end of the user's buffer. I added a WARN_ONCE() to help the user > > debug the issue. > [...] > > Users should not be able to provoke a WARN_ON at will, that's a DoS > (log spam, possible panic). > > And this truncated user buffer length is also used for allocation of > the kernel buffer. Are you totally sure that this can't result in a > kernel buffer overrun (or leak)? > > This fix seems worse than continuing to allow userspace to shoot itself > in the foot. > We don't want to add this because it breaks API and does actually lead to a leak. But it was a WARN_ONCE() not, a WARN_ON() so that part was ok. Probably it helped find the bug in my code. regards, dan carpenter