Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1664908pxa; Thu, 13 Aug 2020 14:08:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzLbr7qEf3Uy32F+g4zeR/h4SgH0nWaFPDiyS1/DSF4FBuiApICxHMJ0qv8vfcG+Usd3O2L X-Received: by 2002:a17:906:ca4f:: with SMTP id jx15mr5908845ejb.449.1597352931593; Thu, 13 Aug 2020 14:08:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597352931; cv=none; d=google.com; s=arc-20160816; b=ajP6wmSBBVN8G1SUP45xowpx5gLiy7FtWuxeUwUiY1EuTI42AO+u7E3Z+v1B6Mi8fO zYfYpiPoq+eIkNcFAmHqCyAGZJ0u/tNkhmeOD/nF1S3dRpNmepXJzOynpftyV3anSvJd Vs9orSLbaPvztTug67MOYKS2Zwd9oaKlgP9u+G9+Zfq2YnSQ/3wP4juw+lH3iRxVWD2m DAr6BRdaaiiyEmGt6JO4klVTLWApCumKmynwZIOZtTFdloKHQCo4+gqB5g7HpK1Lbr6o jscYsgHphNja6OG9MLLwMBLFyvo0u6Mghem650T41f7OIvyFp9N9Q2HVxbZo+PeL15jg K4UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=iMH/6Zv7UJy3jzK0zhlQaSqjciySOnJZj31o6dSJNp0=; b=R6miStvbVb+xNQY5ixyCFQKz6ybvNerL6Pvs+YLkNwdUYokKUe3EGGA8dvzLvpTpi9 qa9DH8INHUgyPZYnQJhY1G0csp2bh2YZge8L0AeSMKlszYfo64ib6BJuEOrk61lsA7Ek /dWdzbEu+wYcTnWP9RwLbXQpCRGWy1V0uNroQx9ic7DLrtFbHHZvuewpGWzQA1YvMhgb o79lbbdGlzsVflaASww8tPiv2+mXOvw35BLu03eguNzdAZYuRVZdBrioFHrB2zuHjOpn 1TsKNgv9bJDfeqqXDXIP3xzUeIyfZZ1b73V9eIfOpaRls187neNtwtlMnZSPv8Lsqca2 +wVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=mGV8LJX7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n20si3988555ejo.160.2020.08.13.14.08.28; Thu, 13 Aug 2020 14:08:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=mGV8LJX7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726674AbgHMVEV (ORCPT + 99 others); Thu, 13 Aug 2020 17:04:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726564AbgHMVEU (ORCPT ); Thu, 13 Aug 2020 17:04:20 -0400 Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25A39C061385 for ; Thu, 13 Aug 2020 14:04:20 -0700 (PDT) Received: by mail-qt1-x842.google.com with SMTP id 6so5520582qtt.0 for ; Thu, 13 Aug 2020 14:04:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=iMH/6Zv7UJy3jzK0zhlQaSqjciySOnJZj31o6dSJNp0=; b=mGV8LJX7jIXJO2ymUdiXZYijB2e+ZMK7XHGqFN7hn1NZ2MBT5RjyZxQ4WXOFe8+WHt Xz9wiSNl3SFee2XcCbpPp9fI5dBds2L6mLNiPdRlIC91M8nRqvCs61IsMvlLN+YMjVaf 5YaEE6xqNbtNUwlNEPvkZhN5BdP1xst9DntCQnwxyEUcy/9Q68+WIuOwOFo5uSzaZiH/ IgJ0eVPykHOab6o9Sqar+fIbd39/hCv3svVU7f4vYX1pF6e5fDbwU0QwnE/eaPYBMqKt g3cSqX7vD6KzXI1mQWRn1Gu/KbFdmbES2SJSXpSmPMezhYxCItPKwkg8bD9oDwYi+Rh3 ACDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iMH/6Zv7UJy3jzK0zhlQaSqjciySOnJZj31o6dSJNp0=; b=L3/uiXVOUQgJJQBbVIFIN1FkujUrLBt53t2rHW3m0MWg87ol39EID5VelcwMajHoUP WUYxl0Jcv0ot/3SxjzLGnL04e+yPNirKKJ9UNpxRUXf+IuxuCJTFVjfk8lY9z3qyhO+j WTEKW95r9wVdoRtZUxyC1ALuWs/rg6yV/iku+fYnubizDgLDFwy3i/RvrdZAEm7MyvDK W6uPH0sFqX3o5LEmOqVccpCzuttXmVgXS0hcHOQVz55taRX3/xCyRaabOnCjn9RSdH5C mnfKzNUTjMyBumBApdDjT8z8WY9yNHbscOiuQOkB1aCBR6wnCInyS4rST20VBixMCm7z Qbtw== X-Gm-Message-State: AOAM532LqKINEnjf3uKOioew30RfzvYhAWo+YlntjNVsL+4kMKypt2Pe eSw9WVREADBmpBlfrO3CBVZFHowPzgo3zw== X-Received: by 2002:ac8:6952:: with SMTP id n18mr2620247qtr.27.1597352658507; Thu, 13 Aug 2020 14:04:18 -0700 (PDT) Received: from localhost (cpe-174-109-172-136.nc.res.rr.com. [174.109.172.136]) by smtp.gmail.com with ESMTPSA id q68sm6391579qke.123.2020.08.13.14.04.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 14:04:17 -0700 (PDT) From: Josef Bacik To: hch@lst.de, viro@ZenIV.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, willy@infradead.org, kernel-team@fb.com Subject: [PATCH 1/6] proc: use vmalloc for our kernel buffer Date: Thu, 13 Aug 2020 17:04:06 -0400 Message-Id: <20200813210411.905010-2-josef@toxicpanda.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200813210411.905010-1-josef@toxicpanda.com> References: <20200813210411.905010-1-josef@toxicpanda.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since sysctl: pass kernel pointers to ->proc_handler we have been pre-allocating a buffer to copy the data from the proc handlers into, and then copying that to userspace. The problem is this just blind kmalloc()'s the buffer size passed in from the read, which in the case of our 'cat' binary was 64kib. Order-4 allocations are not awesome, and since we can potentially allocate up to our maximum order, use vmalloc for these buffers. Fixes: 32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler") Signed-off-by: Josef Bacik --- fs/proc/proc_sysctl.c | 6 +++--- include/linux/string.h | 1 + mm/util.c | 27 +++++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index 6c1166ccdaea..8e19bad83b45 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -571,13 +571,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, goto out; if (write) { - kbuf = memdup_user_nul(ubuf, count); + kbuf = kvmemdup_user_nul(ubuf, count); if (IS_ERR(kbuf)) { error = PTR_ERR(kbuf); goto out; } } else { - kbuf = kzalloc(count, GFP_KERNEL); + kbuf = kvzalloc(count, GFP_KERNEL); if (!kbuf) goto out; } @@ -600,7 +600,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, error = count; out_free_buf: - kfree(kbuf); + kvfree(kbuf); out: sysctl_head_finish(head); diff --git a/include/linux/string.h b/include/linux/string.h index 9b7a0632e87a..21bb6d3d88c4 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -12,6 +12,7 @@ extern char *strndup_user(const char __user *, long); extern void *memdup_user(const void __user *, size_t); extern void *vmemdup_user(const void __user *, size_t); +extern void *kvmemdup_user_nul(const void __user *, size_t); extern void *memdup_user_nul(const void __user *, size_t); /* diff --git a/mm/util.c b/mm/util.c index 5ef378a2a038..cf454d57d3e2 100644 --- a/mm/util.c +++ b/mm/util.c @@ -208,6 +208,33 @@ void *vmemdup_user(const void __user *src, size_t len) } EXPORT_SYMBOL(vmemdup_user); +/** + * kvmemdup_user_nul - duplicate memory region from user space and NUL-terminate + * + * @src: source address in user space + * @len: number of bytes to copy + * + * Return: an ERR_PTR() on failure. Result may be not + * physically contiguous. Use kvfree() to free. + */ +void *kvmemdup_user_nul(const void __user *src, size_t len) +{ + char *p; + + p = kvmalloc(len + 1, GFP_USER); + if (!p) + return ERR_PTR(-ENOMEM); + + if (copy_from_user(p, src, len)) { + kvfree(p); + return ERR_PTR(-EFAULT); + } + p[len] = '\0'; + + return p; +} +EXPORT_SYMBOL(kvmemdup_user_nul); + /** * strndup_user - duplicate an existing string from user space * @s: The string to duplicate -- 2.24.1