From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3497C33CB1 for ; Wed, 15 Jan 2020 15:14:56 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B561A2465A for ; Wed, 15 Jan 2020 15:14:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="EZUijKwl" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B561A2465A Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 4D1328E0008; Wed, 15 Jan 2020 10:14:56 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4816D8E0003; Wed, 15 Jan 2020 10:14:56 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 397448E0008; Wed, 15 Jan 2020 10:14:56 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0092.hostedemail.com [216.40.44.92]) by kanga.kvack.org (Postfix) with ESMTP id 23A738E0003 for ; Wed, 15 Jan 2020 10:14:56 -0500 (EST) Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with SMTP id D565F8248047 for ; Wed, 15 Jan 2020 15:14:55 +0000 (UTC) X-FDA: 76380216150.22.door68_2b01bc9f1241f X-HE-Tag: door68_2b01bc9f1241f X-Filterd-Recvd-Size: 4897 Received: from mail-qk1-f196.google.com (mail-qk1-f196.google.com [209.85.222.196]) by imf18.hostedemail.com (Postfix) with ESMTP for ; Wed, 15 Jan 2020 15:14:55 +0000 (UTC) Received: by mail-qk1-f196.google.com with SMTP id k6so15941504qki.5 for ; Wed, 15 Jan 2020 07:14:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LajS/tijvHJKVOveFc4JIx8xOUQsWStHiqkJwmAZBiI=; b=EZUijKwluEKR/Fm/uagjKMtw+XZ6QjjlD1lpbbuVcxDC1y1Dl4OFFyqH9kjW3MldEC frIFYj7k2O8zTf43JnlX+VqciIwWC8hPW2OHZcJ9pRNwT2DJKBcEWjkgyOi5wU89H/p9 dftMYLv8SymDEPWogq9Sk+Hb+BltTuGtCUJApRxm1RE8v5hZ0Yes9YNFXfnqTHAM86Pd 9WNgpEVdAB7a6tUHKPmafF6nVemMY8Lm8kKeIANRlnPsiHuIBoQOMs89fyXnCZeavPqG 3i8GEEdPmOvTMUqLFXt+pPs1LlZJZcQNshBGuhiww/TK9Y67PTw57B05ZV5FaJeWY6vJ pQtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LajS/tijvHJKVOveFc4JIx8xOUQsWStHiqkJwmAZBiI=; b=rxtDvrHIYqD+3+fsY1rix1x4coyPxzI1LTIJpGTJFYzssAvmfgYLxZbwEMVQH9X2MQ d1mgeNpX6jxMwCXO0JNkJj5MnXgY1fzSMO+GAM0zFVBBv1j/KvzCEWTYeFN2pkxzzLh5 F536Fr46650F09iVTQ8zOhgprP1h2Y59n3tBhfHm3A5lFSB6TnKy488NdJaxh6v0wb/0 iTFe1mL1mSsxhtxDChqUrwPGq4lZST7+UicJX7unznlbCzLXKvz3nJ/UHBij74WBVd2J DtSFJDNfMbYRxtzmfUWxBCK8aRi+SCmp1fOz6SJ/y98u7mOPVdKdLmO0YIjguaCBXHx1 KWkw== X-Gm-Message-State: APjAAAXgTg2ukaA4hlO7VNJ43dZQ92e8IYyBYchikP6aMPc/Mwe7nYbz qECZT8vlIXAD/um++QSJ3e4yWQMAuAUGd1JJIkx2cg== X-Google-Smtp-Source: APXvYqyubzmHMquoqpqvPa5HvJRuTFDjjNXYgEg2v1BLOaT8YzQxqQ7Z7nIUZQyBAHUahP47SeQV846dPfb8jGRj65E= X-Received: by 2002:ae9:e50c:: with SMTP id w12mr25439679qkf.407.1579101294597; Wed, 15 Jan 2020 07:14:54 -0800 (PST) MIME-Version: 1.0 References: <20200115055426.vdjwvry44nfug7yy@kili.mountain> <20200115150315.GH19428@dhcp22.suse.cz> In-Reply-To: <20200115150315.GH19428@dhcp22.suse.cz> From: Dmitry Vyukov Date: Wed, 15 Jan 2020 16:14:43 +0100 Message-ID: Subject: Re: [PATCH] mm/mempolicy.c: Fix out of bounds write in mpol_parse_str() To: Michal Hocko Cc: Vlastimil Babka , Dan Carpenter , Andrew Morton , Lee Schermerhorn , Linux-MM , LKML , syzbot , Andrea Arcangeli , Hugh Dickins , syzkaller-bugs , Al Viro , yang.shi@linux.alibaba.com Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jan 15, 2020 at 4:03 PM Michal Hocko wrote: > > On Wed 15-01-20 13:57:47, Dmitry Vyukov wrote: > > On Wed, Jan 15, 2020 at 1:54 PM Vlastimil Babka wrote: > > > > > > On 1/15/20 6:54 AM, Dan Carpenter wrote: > > > > What we are trying to do is change the '=' character to a NUL terminator > > > > and then at the end of the function we restore it back to an '='. The > > > > problem is there are two error paths where we jump to the end of the > > > > function before we have replaced the '=' with NUL. We end up putting > > > > the '=' in the wrong place (possibly one element before the start of > > > > the buffer). > > > > > > Bleh. > > > > > > > Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com > > > > Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") > > > > Signed-off-by: Dan Carpenter > > > > > > Acked-by: Vlastimil Babka > > > > > > CC stable perhaps? Can this (tmpfs mount options parsing AFAICS?) become > > > part of unprivileged operation in some scenarios? > > > > Yes, tmpfs can be mounted by any user inside of a user namespace. > > Huh, is there any restriction though? It is certainly not nice to have > an arbitrary memory allocated without a way of reclaiming it and OOM > killer wouldn't help for shmem. The last time I checked there were hundreds of ways to allocate arbitrary amounts of memory without any restrictions by any user. The example at hand was setting up GB-sized netfilter tables in netns under userns. It's not subject to ulimit/memcg. Most kmalloc/vmalloc's are not accounted and can be abused. Is tmpfs even worse than these?