| From 7661809d493b426e979f39ab512e3adf41fbcc69 Mon Sep 17 00:00:00 2001 |
| From: Linus Torvalds <torvalds@linux-foundation.org> |
| Date: Wed, 14 Jul 2021 09:45:49 -0700 |
| Subject: mm: don't allow oversized kvmalloc() calls |
| |
| From: Linus Torvalds <torvalds@linux-foundation.org> |
| |
| commit 7661809d493b426e979f39ab512e3adf41fbcc69 upstream. |
| |
| 'kvmalloc()' is a convenience function for people who want to do a |
| kmalloc() but fall back on vmalloc() if there aren't enough physically |
| contiguous pages, or if the allocation is larger than what kmalloc() |
| supports. |
| |
| However, let's make sure it doesn't get _too_ easy to do crazy things |
| with it. In particular, don't allow big allocations that could be due |
| to integer overflow or underflow. So make sure the allocation size fits |
| in an 'int', to protect against trivial integer conversion issues. |
| |
| Acked-by: Willy Tarreau <w@1wt.eu> |
| Cc: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| mm/util.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/mm/util.c |
| +++ b/mm/util.c |
| @@ -581,6 +581,10 @@ void *kvmalloc_node(size_t size, gfp_t f |
| if (ret || size <= PAGE_SIZE) |
| return ret; |
| |
| + /* Don't even allow crazy sizes */ |
| + if (WARN_ON_ONCE(size > INT_MAX)) |
| + return NULL; |
| + |
| return __vmalloc_node(size, 1, flags, node, |
| __builtin_return_address(0)); |
| } |