| Message ID | 20241216081953.3566217-1-lizhi.xu@windriver.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | tomoyo: prevent bad buffer size in tracing_cpumask_write | expand |
On 2024/12/16 17:19, Lizhi Xu wrote: > User input a too large buffer size 0xfffffdeful, although it is truncated to > MAX_RW_COUNT in vfs_write, its value is still too large, causing warning when > allocating memory in tomoyo_write_control. > > Add a check for it to avoid this case. Thank you for a patch. But I don't think this fix is correct, for one can make head->writebuf_size too large by writing chunks without new line for many times. > > Reported-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76 > Tested-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > --- > security/tomoyo/common.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c > index 5c7b059a332a..f63388c2fffd 100644 > --- a/security/tomoyo/common.c > +++ b/security/tomoyo/common.c > @@ -2654,6 +2654,8 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, > > if (!head->write) > return -EINVAL; > + if (avail_len > KMALLOC_MAX_SIZE) > + return -EINVAL; > if (mutex_lock_interruptible(&head->io_sem)) > return -EINTR; > cp0 = head->write_buf;
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 5c7b059a332a..f63388c2fffd 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2654,6 +2654,8 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, if (!head->write) return -EINVAL; + if (avail_len > KMALLOC_MAX_SIZE) + return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; cp0 = head->write_buf;