From: Chris Down <chris@chrisdown.name>
To: Michal Hocko <mhocko@suse.com>
Cc: Muchun Song <songmuchun@bytedance.com>,
Andrew Morton <akpm@linux-foundation.org>,
Johannes Weiner <hannes@cmpxchg.org>,
Vladimir Davydov <vdavydov.dev@gmail.com>,
Cgroups <cgroups@vger.kernel.org>,
Linux Memory Management List <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [External] Re: [PATCH] mm: memcontrol: Fix out-of-bounds on the buf returned by memory_stat_format
Date: Mon, 14 Sep 2020 12:20:37 +0100 [thread overview]
Message-ID: <20200914112037.GA2417148@chrisdown.name> (raw)
In-Reply-To: <20200914103205.GI16999@dhcp22.suse.cz>
Michal Hocko writes:
>> > > Yeah, I think we should cc:stable.
>> >
>> > Is this a real problem? The buffer should contain 36 lines which makes
>> > it more than 100B per line. I strongly suspect we are not able to use
>> > that storage up.
>>
>> Before memory_stat_format() return, we should call seq_buf_putc(&s, '\0').
>> Otherwise, the return buf string has no trailing null('\0'). But users treat buf
>> as a string(and read the string oob). It is wrong. Thanks.
>
>I am not sure I follow you. vsnprintf which is used by seq_printf will
>add \0 if there is a room for that. And I argue there is a lot of room
>in the buffer so a corner case where the buffer gets full doesn't happen
>with the current code.
I don't feel very strongly either way, but in general I agree with Michal. As
it is this feels quite perfunctory.
If you can demonstrate reading the string out of bounds in a
userspace-exploitable way -- that is, you can demonstrate one can coerce
memory.stat to a format where you would read out of bounds -- then we should
obviously cc stable and keep the Fixes tag, but you have not come close to
demonstrating this yet.
Otherwise, if you cannot provide any way to read the string out of bounds,
because the buffer is simply way too big for this to ever happen, this is just
a code cleanup, and neither Fixes nor stable are appropriate.
So, the question is, which is it? :-)
next prev parent reply other threads:[~2020-09-14 11:20 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-12 15:51 Muchun Song
2020-09-13 0:42 ` Andrew Morton
2020-09-14 4:02 ` [External] " Muchun Song
2020-09-14 9:18 ` Michal Hocko
2020-09-14 9:43 ` Muchun Song
2020-09-14 10:32 ` Michal Hocko
2020-09-14 11:20 ` Chris Down [this message]
2020-09-14 11:46 ` Muchun Song
2020-09-14 11:57 ` Michal Hocko
2020-09-14 12:05 ` Muchun Song
2020-09-14 9:23 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200914112037.GA2417148@chrisdown.name \
--to=chris@chrisdown.name \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=songmuchun@bytedance.com \
--cc=vdavydov.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox