Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4121345pxf; Tue, 16 Mar 2021 06:20:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwtEs0LRMTm0PIoaqMpHusFZGWeYUv6qtL2gCg3e2YeFR+c/u1ZhkLMAgh2C5FR1jxGQRMT X-Received: by 2002:a17:906:4d18:: with SMTP id r24mr29080803eju.493.1615900854315; Tue, 16 Mar 2021 06:20:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615900854; cv=none; d=google.com; s=arc-20160816; b=yL2ozgr97Wml+urX2GjRNVFksKVyJMDJPItUbDu5U7jj/48yfaTX9uXgjJT2B998pP jsyQv2Dz8aC0kpAQWxdI1jrl3JBeiTP7jQSkg1xPo4+XHjD2j0kADM3ZDsem2d9rVBmK OD/0i8J71q00vvZRCbQRk899q1xSCUdd0L/VAKAzeO4sPcS00nme2x4EgJu3bcNkhp3T B65wVUfjPqkwNZxeDyQE9IvTga+7+mrLYZ/ceilWr1YUDsNsnTwAQPogsNX65uilTQ8l e0waSQ2Pmw2WhhQCHCQXMKh7DPdfCbNvZPN6nBHrT3W4/NPPcpXcfbnN5jUjiC3WIq/h b1yA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=dx5tn/tdbhOQ7uD2fnK8ZNmtom2xjdf9MFr6hYdbZPc=; b=LhuEXFNQxqNRa26EzWfDEymrLTClIzKdOMHtrjZ55WpTPEer+Qu3ZtpWByQstZRbBv +mcG1OB/+R2/VF7b4Wf5Ig1oLBZBpQBUIZFmlksTnZ9y2zBiLMzAUkVQqZ2ctZVP4R9J dYQ23SOcae2QSNCp2bj33Sp0rAlMfuqtwGE1MzoPTh2xkNjfTPj5goTjKgZzMPDSPkbx 6iT4uEcvTqdp52Ku8eoBLOvXDBeKrQFU3fHY5DD9r8FmTGRfsGt0F9RRdUF5uQByAnmw SPPRcJ1deaE84jKoNirucumJ3l25Dsxmwoa4LLjp40bZgYFgI+uf+WbPy4u0bg0baN6Y y70g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fu9N3c2X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ci1si13839331ejb.3.2021.03.16.06.20.31; Tue, 16 Mar 2021 06:20:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Fu9N3c2X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230452AbhCPHY5 (ORCPT + 99 others); Tue, 16 Mar 2021 03:24:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:41788 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229660AbhCPHYz (ORCPT ); Tue, 16 Mar 2021 03:24:55 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 02CD364F91; Tue, 16 Mar 2021 07:24:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1615879494; bh=8uUDAW08JUiZFZ6RLHXQ4tv6CD+Mof+kNjKmo7xGysQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Fu9N3c2Xdt+OkZcZjfn4Yrm4YjiyMGSf1mi/i74GYOsj5bJ2/FDKsAPWq8JxFnvoj XOYEz2YkSBwczRBFMBwAhhBKQSczmGI82SNR2alFxYXXvEtQx8NIvjuajyPdBQru8I mWwdw7YcJ0mzKblwP8D+/6G1rcfI1o6wsWSeojF8= Date: Tue, 16 Mar 2021 08:24:50 +0100 From: Greg Kroah-Hartman To: Kees Cook Cc: Al Viro , Andrew Morton , Michal Hocko , Alexey Dobriyan , Lee Duncan , Chris Leech , Adam Nichols , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v2] seq_file: Unconditionally use vmalloc for buffer Message-ID: References: <20210315174851.622228-1-keescook@chromium.org> <202103151336.78360DB34D@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202103151336.78360DB34D@keescook> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 15, 2021 at 01:43:59PM -0700, Kees Cook wrote: > On Mon, Mar 15, 2021 at 06:33:10PM +0000, Al Viro wrote: > > On Mon, Mar 15, 2021 at 10:48:51AM -0700, Kees Cook wrote: > > > The sysfs interface to seq_file continues to be rather fragile, as seen > > > with some recent exploits[1]. Move the seq_file buffer to the vmap area > > > (while retaining the accounting flag), since it has guard pages that > > > will catch and stop linear overflows. This seems justified given that > > > seq_file already uses kvmalloc(), is almost always using a PAGE_SIZE or > > > larger allocation, has allocations are normally short lived, and is not > > > normally on a performance critical path. > > > > You are attacking the wrong part of it. Is there any reason for having > > seq_get_buf() public in the first place? > > Completely agreed. seq_get_buf() should be totally ripped out. > Unfortunately, this is going to be a long road because of sysfs's ATTR > stuff, there are something like 5000 callers, and the entire API was > designed to avoid refactoring all those callers from > sysfs_kf_seq_show(). What is wrong with the sysfs ATTR stuff? That should make it so that we do not have to change any caller for any specific change like this, why can't sysfs or kernfs handle it automatically? > However, since I also need to entirely rewrite the sysfs vs kobj APIs[1] > for CFI, I'm working on a plan to fix it all at once, but based on my > experience refactoring the timer struct, it's going to be a very painful > and long road. Oh yeah, that fun. I don't think it's going to be as hard as you think, as the underlying code is doing the "right thing" here, so this feels like a problem in the CFI implementation more than anything else. So what can I do today in sysfs to help fix the seq_get_buf() stuff? What should it use instead? thanks, greg k-h