Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3704633pxf; Mon, 15 Mar 2021 16:46:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyQB5wNcCmh/ecDsrYNoIE8sg/qCSkUu0hDeEYSk1DkUhugi7G6nFDpvaz2kpBCq81LtGkC X-Received: by 2002:a17:906:1a16:: with SMTP id i22mr26627896ejf.522.1615851976925; Mon, 15 Mar 2021 16:46:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615851976; cv=none; d=google.com; s=arc-20160816; b=gfYbwANwT5Wn1RHipdOVo6fSCYcWbU0V+i1aIqEnQ00ybrcd8VX+9hXzQ1fOt1nN98 MV2TbSg/04shmBGvqZ7/qauzS0Ju/Vie7209YvQUjhwP31LnOC4Qge2J22c+IX5UH5AV 3g096bUoqqOy7P5NMCgp8JEylb+c7ezentLURCgdihkJ1r3TeRmrthulxREkTN6TmGML U9fCcliETljmCjoiyrXk/SdH3QGMO3gs+33w+o762fEGM7SCSPSNZdcNcem7ERP+D742 XWa3camkCpNhCxNUpScQ7U+MTN6Yk3WGJ1wCMYNsTv80FO6I3MxAT1RJhEnWwx2SnTxc /g5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=RA9msjIO26+IWEmEQs6ekjfSHo+soG6/khVr4WzyjKU=; b=VV2qHDHEriUZJ//yS3nnWtuArDLPyoNLh9xywdvFnSdvvOPpoZZBwGwB0dzT5bPwwl JUroAD1K4AcUt4bOIHLY0dyi8T+ACpol/EPL7HieMpiR4GVTIlTSSEfan53Z7qBUwkcA Jv4M/lYWtHv6jch+ETJgoC3QSIbPYwl0ziMaxy9KyAatumn39BlsXdyBib4OmLe9VsTW pjrLMHOc4X9QFgAoKB5+X6eRizX1bGJCK19VQkxaExJTDXw3u3CJEj8g1tahgXCYwqWn BRNzG+NezRjOasD1meUuMKEpwMRslTjIrYM4S+eBSWFg9Ur+BNEWrJ6wQpxvOxW8uT1D fCPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l11si12527016edv.488.2021.03.15.16.45.54; Mon, 15 Mar 2021 16:46:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231334AbhCOSkZ (ORCPT + 99 others); Mon, 15 Mar 2021 14:40:25 -0400 Received: from zeniv-ca.linux.org.uk ([142.44.231.140]:47458 "EHLO zeniv-ca.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230034AbhCOSj7 (ORCPT ); Mon, 15 Mar 2021 14:39:59 -0400 Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux)) id 1lLs1e-006J21-Od; Mon, 15 Mar 2021 18:33:10 +0000 Date: Mon, 15 Mar 2021 18:33:10 +0000 From: Al Viro To: Kees Cook Cc: Andrew Morton , Greg Kroah-Hartman , Michal Hocko , Alexey Dobriyan , Lee Duncan , Chris Leech , Adam Nichols , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v2] seq_file: Unconditionally use vmalloc for buffer Message-ID: References: <20210315174851.622228-1-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210315174851.622228-1-keescook@chromium.org> Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 15, 2021 at 10:48:51AM -0700, Kees Cook wrote: > The sysfs interface to seq_file continues to be rather fragile, as seen > with some recent exploits[1]. Move the seq_file buffer to the vmap area > (while retaining the accounting flag), since it has guard pages that > will catch and stop linear overflows. This seems justified given that > seq_file already uses kvmalloc(), is almost always using a PAGE_SIZE or > larger allocation, has allocations are normally short lived, and is not > normally on a performance critical path. You are attacking the wrong part of it. Is there any reason for having seq_get_buf() public in the first place? For example, the use in blkcg_print_stat() is entirely due to the bogus ->pd_stat_fn() calling conventions. Fuck scnprintf() games, just pass seq_file to ->pd_stat_fn() and use seq_printf() instead. Voila - no seq_get_buf()/seq_commit()/scnprintf() garbage. tegra use is no better, AFAICS. inifinibarf one... allow me to quote that gem in full: static int _driver_stats_seq_show(struct seq_file *s, void *v) { loff_t *spos = v; char *buffer; u64 *stats = (u64 *)&hfi1_stats; size_t sz = seq_get_buf(s, &buffer); if (sz < sizeof(u64)) return SEQ_SKIP; /* special case for interrupts */ if (*spos == 0) *(u64 *)buffer = hfi1_sps_ints(); else *(u64 *)buffer = stats[*spos]; seq_commit(s, sizeof(u64)); return 0; } Yes, really. Not to mention that there's seq_write(), what the _hell_ is it using seq_file for in the first place? Oh, and hfi_stats is actually this: struct hfi1_ib_stats { __u64 sps_ints; /* number of interrupts handled */ __u64 sps_errints; /* number of error interrupts */ __u64 sps_txerrs; /* tx-related packet errors */ __u64 sps_rcverrs; /* non-crc rcv packet errors */ __u64 sps_hwerrs; /* hardware errors reported (parity, etc.) */ __u64 sps_nopiobufs; /* no pio bufs avail from kernel */ __u64 sps_ctxts; /* number of contexts currently open */ __u64 sps_lenerrs; /* number of kernel packets where RHF != LRH len */ __u64 sps_buffull; __u64 sps_hdrfull; }; I won't go into further details - CDA might be dead and buried, but there should be some limit to public obscenity ;-/ procfs use is borderline - it looks like there might be a good cause for seq_escape_str(). And sysfs_kf_seq_show()... Do we want to go through seq_file there at all?