Thread (4 messages) 4 messages, 4 authors, 2021-01-28

Re: [PATCH v3] mm: memdup_user*() should use same gfp flags

From: Michal Hocko <mhocko@suse.com>
Date: 2021-01-28 08:19:45 

On Wed 27-01-21 15:19:40, Andrew Morton wrote:
On Wed, 27 Jan 2021 23:03:33 +0900 Tetsuo Handa [off-list ref] wrote:
quoted
On 2021/01/27 21:17, Michal Hocko wrote:
quoted
On Wed 27-01-21 12:59:28, Michal Hocko wrote:
quoted
On Wed 27-01-21 19:55:38, Tetsuo Handa wrote:
quoted
syzbot is reporting that memdup_user_nul() which receives user-controlled
size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
order >= MAX_ORDER path [1].

Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail
should be better than trying to enforce PAGE_SIZE upper limit, for some of
callers accept space-delimited list arguments.

Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with
commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations
warnings"). Also use GFP_USER as with other userspace-controllable
allocations like memdup_user().
I absolutely detest hiding this behind __GFP_NOWARN. There should be no
reason to even try hard for memdup_user_nul. Can you explain why this
this should have been "try hard to get a physicaly contiguous memory for memdup_user_nul"
quoted
cannot use kvmalloc instead?
There is no point with allowing userspace to allocate 2GB of physically non-contiguous
memory using kvmalloc(). Size is controlled by userspace, and memdup_user_nul() is used
for allocating temporary memory which will be released before returning to userspace.

Sane userspace processes should allocate only one or a few pages using memdup_user_nul().
Just making insane user processes (like fuzzer) fail memory allocation requests is a
reasonable decision.
(cc Casey)

I'd say that the immediate problem is in smk_write_syslog().  Obviously
it was implemented expecting small writes, but the fuzzer is passing it a
huge write and things fall apart.
I am not familiar with this particular caller and having a limit check
which suits that particular usage is a reasonable thing to do.

I do argue two things
- using NOWARN to work around potentially buggy callers is just sweeping
  the mess under the rug and opens
- these helper functions are to help copy user input and that doesn't
  really need physically contiguous pages. This can even become
  dangerous as a higher order depleting vector and DoS via OOM in  the
  worst case.

From that it sounds natural that the helper should be using kvmalloc.
This will not solve a due size check on the caller side but that is not
possible from a generic helper library function anyway. But it will
provide a reasonable allocation policy.
-- 
Michal Hocko
SUSE Labs
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help