syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
control message is passed with user-controlled
0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
is the closest limit, with 0x10 leftover.
Same condition is currently done in rds_cmsg_rdma_args().
[1] WARNING: mm/page_alloc.c:5011
[..]
Call Trace:
alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
alloc_pages include/linux/gfp.h:547 [inline]
kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
kmalloc_array include/linux/slab.h:592 [inline]
kcalloc include/linux/slab.h:621 [inline]
rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
rds_rm_size net/rds/send.c:928 [inline]
Reported-by: [email protected]
Signed-off-by: Sabyrzhan Tasbolatov <[email protected]>
---
net/rds/rdma.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 1d0afb1dd77b..6f1a50d50d06 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -565,6 +565,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
if (args->nr_local == 0)
return -EINVAL;
+ if (args->nr_local > UIO_MAXIOV)
+ return -EMSGSIZE;
+
iov->iov = kcalloc(args->nr_local,
sizeof(struct rds_iovec),
GFP_KERNEL);
--
2.25.1
On Feb 1, 2021, at 12:32 PM, Sabyrzhan Tasbolatov <[email protected]> wrote:
>
> syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
> control message is passed with user-controlled
> 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
>
> The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
> So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
> is the closest limit, with 0x10 leftover.
>
> Same condition is currently done in rds_cmsg_rdma_args().
>
> [1] WARNING: mm/page_alloc.c:5011
> [..]
> Call Trace:
> alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
> alloc_pages include/linux/gfp.h:547 [inline]
> kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
> kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
> kmalloc_array include/linux/slab.h:592 [inline]
> kcalloc include/linux/slab.h:621 [inline]
> rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
> rds_rm_size net/rds/send.c:928 [inline]
>
> Reported-by: [email protected]
> Signed-off-by: Sabyrzhan Tasbolatov <[email protected]>
> —
Looks fine by me.
Acked-by: Santosh Shilimkar <[email protected]>
Hello:
This patch was applied to netdev/net.git (refs/heads/master):
On Tue, 2 Feb 2021 02:32:33 +0600 you wrote:
> syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
> control message is passed with user-controlled
> 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
>
> The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
> So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
> is the closest limit, with 0x10 leftover.
>
> [...]
Here is the summary with links:
- net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
https://git.kernel.org/netdev/net/c/a11148e6fcce
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html