From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 977DAC33CB1 for ; Thu, 16 Jan 2020 07:39:27 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 3A0B1207FF for ; Thu, 16 Jan 2020 07:39:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3A0B1207FF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 942368E0049; Thu, 16 Jan 2020 02:39:26 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 8F2AD8E003F; Thu, 16 Jan 2020 02:39:26 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8081E8E0049; Thu, 16 Jan 2020 02:39:26 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0100.hostedemail.com [216.40.44.100]) by kanga.kvack.org (Postfix) with ESMTP id 6B9128E003F for ; Thu, 16 Jan 2020 02:39:26 -0500 (EST) Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id 159FB180AD817 for ; Thu, 16 Jan 2020 07:39:26 +0000 (UTC) X-FDA: 76382697132.02.spot20_3535e769f2653 X-HE-Tag: spot20_3535e769f2653 X-Filterd-Recvd-Size: 6593 Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) by imf44.hostedemail.com (Postfix) with ESMTP for ; Thu, 16 Jan 2020 07:39:25 +0000 (UTC) Received: by mail-wr1-f65.google.com with SMTP id c9so18041111wrw.8 for ; Wed, 15 Jan 2020 23:39:25 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=bBIJdoOGcKT7ARa4hpF0Qzi9SqnNejpA2FdEIbbGlvw=; b=Hl1WbZrXCuOmTko0LN2HIK3a3xaPqUuOemBfUCqRys4d+a4C29KwUeJmcifAUl539X LuD9RhSUIPhupzAadY3gHM8Pw0J9I2J4bTPBOXZiOoG8Nq9WTH0Lk86mkMAvgTOSB2KP VSainml46IiSBXafvgKq5nY1ronFb90Nmw7cyPGJa9yppY3FU1Npkh/G3wzm9bQXd9Df 1fzAMubUPnU3+dlTqrICGslbOxGXH1Ia/zQOfKUrTahH3f1dMNqWXEX8lzmb1f0GpvjA AySxPNxsgdnhNY2dOqCMP3+1snbMODqIiOBIOwcBz4OCYIMzBbZAPCuZyx4jE4dV6drk PyrQ== X-Gm-Message-State: APjAAAVb37dFlcbqZLaJaaU8ICcng+k6VzvWLdmdLYAjmipYadNoTlvi JYbwse0Fjyz1oPCaim92htI= X-Google-Smtp-Source: APXvYqwh2du+d8lyfUMfq2pY8IgeVBXJR6/z7dzMr6nzR4sM0wycMNyDQKCEf8o2GNp7nNE6VT2Mxg== X-Received: by 2002:adf:fe8c:: with SMTP id l12mr1598425wrr.215.1579160364410; Wed, 15 Jan 2020 23:39:24 -0800 (PST) Received: from localhost (ip-37-188-146-105.eurotel.cz. [37.188.146.105]) by smtp.gmail.com with ESMTPSA id m126sm1394332wmf.7.2020.01.15.23.39.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jan 2020 23:39:23 -0800 (PST) Date: Thu, 16 Jan 2020 08:39:22 +0100 From: Michal Hocko To: Dmitry Vyukov Cc: Vlastimil Babka , Dan Carpenter , Andrew Morton , Lee Schermerhorn , Linux-MM , LKML , syzbot , Andrea Arcangeli , Hugh Dickins , syzkaller-bugs , Al Viro , yang.shi@linux.alibaba.com Subject: Re: [PATCH] mm/mempolicy.c: Fix out of bounds write in mpol_parse_str() Message-ID: <20200116073922.GL19428@dhcp22.suse.cz> References: <20200115055426.vdjwvry44nfug7yy@kili.mountain> <20200115150315.GH19428@dhcp22.suse.cz> <20200115190528.GJ19428@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.2 (2019-09-21) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu 16-01-20 06:41:46, Dmitry Vyukov wrote: > On Wed, Jan 15, 2020 at 8:05 PM Michal Hocko wrote: > > > > > On Wed, Jan 15, 2020 at 1:54 PM Vlastimil Babka wrote: > > > > > > > > > > > > On 1/15/20 6:54 AM, Dan Carpenter wrote: > > > > > > > What we are trying to do is change the '=' character to a NUL terminator > > > > > > > and then at the end of the function we restore it back to an '='. The > > > > > > > problem is there are two error paths where we jump to the end of the > > > > > > > function before we have replaced the '=' with NUL. We end up putting > > > > > > > the '=' in the wrong place (possibly one element before the start of > > > > > > > the buffer). > > > > > > > > > > > > Bleh. > > > > > > > > > > > > > Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com > > > > > > > Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") > > > > > > > Signed-off-by: Dan Carpenter > > > > > > > > > > > > Acked-by: Vlastimil Babka > > > > > > > > > > > > CC stable perhaps? Can this (tmpfs mount options parsing AFAICS?) become > > > > > > part of unprivileged operation in some scenarios? > > > > > > > > > > Yes, tmpfs can be mounted by any user inside of a user namespace. > > > > > > > > Huh, is there any restriction though? It is certainly not nice to have > > > > an arbitrary memory allocated without a way of reclaiming it and OOM > > > > killer wouldn't help for shmem. > > > > > > The last time I checked there were hundreds of ways to allocate > > > arbitrary amounts of memory without any restrictions by any user. The > > > example at hand was setting up GB-sized netfilter tables in netns > > > under userns. It's not subject to ulimit/memcg. > > > > That's bad! > > > > > Most kmalloc/vmalloc's are not accounted and can be abused. > > > > Many of those should be bound to some objects and if those are directly > > controllable by userspace then we should account at least. And if they > > are not bound to a process life time then restricted. > > I see you actually added one GFP_ACCOUNT in netfilter in "netfilter: > x_tables: do not fail xt_alloc_table_info too easilly". But it seems > there are more: > > $ grep vmalloc\( net/netfilter/*.c > net/netfilter/nf_tables_api.c: return kvmalloc(alloc, GFP_KERNEL); > net/netfilter/x_tables.c: xt[af].compat_tab = vmalloc(mem); > net/netfilter/x_tables.c: mem = vmalloc(len); > net/netfilter/x_tables.c: info = kvmalloc(sz, GFP_KERNEL_ACCOUNT); > net/netfilter/xt_hashlimit.c: /* FIXME: don't use vmalloc() here or > anywhere else -HW */ > net/netfilter/xt_hashlimit.c: hinfo = vmalloc(struct_size(hinfo, hash, size)); > > These are not bound to processes/threads as namespaces are orthogonal to tasks. I cannot really comment on those. This is for networking people to examine and find out whether they allow an untrusted user to runaway. > Somebody told me that it's not good to use GFP_ACCOUNT if the > allocation is not tied to the lifetime of the process. Is it still > true? Those are more tricky. Mostly because there is no way to reclaim the memory once the hard limit is hit. Even the memcg oom killer will not help much. So a care should be taken when adding GFP_ACCOUNT for those. On the other hand it would prevent an unbounded allocations at least so the DoS would be reduced to the hard limited memcg. -- Michal Hocko SUSE Labs