1. Patchew
  2. linux
  3. View series

[PATCH] tomoyo: prevent bad buffer size in tracing_cpumask_write

Lizhi Xu posted 1 patch 1 year ago 
security/tomoyo/common.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH] tomoyo: prevent bad buffer size in tracing_cpumask_write
Posted by Lizhi Xu 1 year ago 
User input a too large buffer size 0xfffffdeful, although it is truncated to
MAX_RW_COUNT in vfs_write, its value is still too large, causing warning when
allocating memory in tomoyo_write_control.

Add a check for it to avoid this case.

Reported-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
Tested-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 security/tomoyo/common.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 5c7b059a332a..f63388c2fffd 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2654,6 +2654,8 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
 
 	if (!head->write)
 		return -EINVAL;
+	if (avail_len > KMALLOC_MAX_SIZE)
+		return -EINVAL;
 	if (mutex_lock_interruptible(&head->io_sem))
 		return -EINTR;
 	cp0 = head->write_buf;
-- 
2.43.0
Re: [PATCH] tomoyo: prevent bad buffer size in tracing_cpumask_write
Posted by Tetsuo Handa 1 year ago 
On 2024/12/16 17:19, Lizhi Xu wrote:
> User input a too large buffer size 0xfffffdeful, although it is truncated to
> MAX_RW_COUNT in vfs_write, its value is still too large, causing warning when
> allocating memory in tomoyo_write_control.
> 
> Add a check for it to avoid this case.

Thank you for a patch. But I don't think this fix is correct, for one can make
head->writebuf_size too large by writing chunks without new line for many times.

> 
> Reported-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
> Tested-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> ---
>  security/tomoyo/common.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
> index 5c7b059a332a..f63388c2fffd 100644
> --- a/security/tomoyo/common.c
> +++ b/security/tomoyo/common.c
> @@ -2654,6 +2654,8 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
>  
>  	if (!head->write)
>  		return -EINVAL;
> +	if (avail_len > KMALLOC_MAX_SIZE)
> +		return -EINVAL;
>  	if (mutex_lock_interruptible(&head->io_sem))
>  		return -EINTR;
>  	cp0 = head->write_buf;

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.