Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp116889pxv; Wed, 21 Jul 2021 17:19:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEj4GNo/UDKejpx3aEKPefpY8Cwm8Bu+SPCuRgH1RnK7bJVUyszlLYgEIdsq17tr+Mq7HO X-Received: by 2002:a17:906:f8da:: with SMTP id lh26mr40555429ejb.203.1626913140057; Wed, 21 Jul 2021 17:19:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626913140; cv=none; d=google.com; s=arc-20160816; b=SqqQyyrL/AVBEzUmj86cePdclXwRqZMWTKwKWSQ1yDhacYXGX3qqycu/+0nL9vrejm YzthhQilwkAo7aX1vOHunv8IodOzE24fbpImdWGVV/0uLVNWmxLa4VEwjk19tnSg6IRx MaJrvd5s8EqhgnbPkMf2/802ukrY29MN2AtZiMvQGH0P2RLv92enNxv70FyOTr1Kbc3w 9RzoH8yfuPTlBTL3/I5hyzaVCbM/7CvBMsqFt1ctC0pIKtz3Q+vxn+4vcqM7pbUVLXNm HQGnp7Yw+DUTXKa+/0ObpLAD9I1aIgAEzkRvwUEQ+OqVYJZYHNHnvV7fvL5mo6F5+nbQ 5LhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=JlC7x4HHDcOKXJYHkjPYWZJQfgICJvrDTgByLHtxKD8=; b=GaBantKv/WLf2FvWzbHT9eR/kkfCngG3jsZ+r1Dia9ZnKxOur7o1iKIpSzNNaV1YwJ 86T08MAVaT/uVP/EgC8jkTCFzB8P3UnEYciAF5lSNxouiPiRF9JWi8rxI2Myk7B12uo7 xCw3weEtK8+0CUMg0Kv3DduoKyoF+t0fgtRQq4cLRhmBLhcIJ9sZlcCEdpm6q81akK4s e+3+px31oSMXfgvBwrbaksTQqVzc7t5LT5i2WSK0zwJPmrCJ0rfQmX2pS/YM3TGtnRro zXtcaK4LYPgZ5TXMftMY2mrZ6aNRUFJUSdOzD8jYJ63VsTBC4PbwTLz7tG+mzMpea02e GACw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=CIgPBTOR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a7si29056733eds.521.2021.07.21.17.18.37; Wed, 21 Jul 2021 17:19:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=CIgPBTOR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229775AbhGUXeo (ORCPT + 99 others); Wed, 21 Jul 2021 19:34:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229632AbhGUXeo (ORCPT ); Wed, 21 Jul 2021 19:34:44 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F34DBC061575 for ; Wed, 21 Jul 2021 17:15:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=JlC7x4HHDcOKXJYHkjPYWZJQfgICJvrDTgByLHtxKD8=; b=CIgPBTORGNndgMQ80q6kGI77rm WoNQINcAfsU2DnAI6JmbJNvDcj1Ov4uh2HKB8nWXwbEtb+2YGNkUaGyRZ1WzKG4v1ypHvpMhtk3xD 8P6UKuiElHOOm/2U6ymEahBCkbLGFlX8+12cRcrjTUQhdBUkgJuFwITT6cneOeY90kTiV7SnYC9Cl 2FaFXvRbxckywvrtZb1Hemd5JiamMf0JEhPu00XmDivzfz5wUMc0yj9qYQ4jyYOdABR5Cj1qZpAP6 L99VoK5rop2NnFiD1LB6ujQCRTXttHXmyVxWjqi4U+GgT7Gou5ZxeIfVTgik8ksfTQVSUJID5q6YP VqbtGFIQ==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1m6MM9-009jO8-HH; Thu, 22 Jul 2021 00:14:44 +0000 Date: Thu, 22 Jul 2021 01:14:29 +0100 From: Matthew Wilcox To: Linus Torvalds Cc: Al Viro , Qualys Security Advisory , Eric Sandeen , Linux-MM , Linux Kernel Mailing List Subject: Re: [PATCH] mm: Make kvmalloc refuse to allocate more than 2GB Message-ID: References: <20210721184131.2264356-1-willy@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 21, 2021 at 01:46:09PM -0700, Linus Torvalds wrote: > On Wed, Jul 21, 2021 at 11:42 AM Matthew Wilcox (Oracle) > wrote: > > > > It's generally dangerous to allocate such large quantities of memory > > within the kernel owing to our propensity to use 'int' to represent > > a length. If somebody really needs it, we can add a kvmalloc_large() > > later, but let's default to "You can't allocate that much memory". > > I really think that without the WARN_ON_ONCE(), this is just moving > that failure point from a known good place ("we know this must not > succeed") to a possibly bad place ("this might cause silent and > hard-to-understand failures elsewhere"). To a certain extent, yes. On the other hand, if you don't have any error handling on your kvmalloc of 2GB, Qualys seems to have a reliable way to run you out of vmalloc space, and that's going to get exercised. My initial thought was to leverage the existing __GFP_NOWARN code: if (size > PAGE_SIZE) { - kmalloc_flags |= __GFP_NOWARN; + if (size <= INT_MAX) + kmalloc_flags |= __GFP_NOWARN; because that dumps some interesting information (ratelimited), which might help the sysadmin realise they're under attack. A WARN_ON_ONCE is one-and-done, so an attacker can hide their tracks. Unfortunately, we actually bail out before getting there: if (unlikely(order >= MAX_ORDER)) { WARN_ON_ONCE(!(gfp & __GFP_NOWARN)); return NULL; } ... maybe that should call warn_alloc() too. So I'm now thinking (relative to the earlier patch): - if (size > INT_MAX) + if (size > INT_MAX) { + warn_alloc(flags, NULL, "oversized allocation:%zu", size); return NULL; + }