| From foo@baz Sun May 27 17:33:38 CEST 2018 |
| From: David Rientjes <rientjes@google.com> |
| Date: Wed, 21 Feb 2018 14:45:32 -0800 |
| Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE |
| |
| From: David Rientjes <rientjes@google.com> |
| |
| [ Upstream commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e ] |
| |
| chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc() |
| of chan->n_subbufs * sizeof(size_t *). |
| |
| kmalloc_slab() will generate a warning when this fails if |
| chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE. |
| |
| Limit chan->n_subbufs to the maximum allowed kmalloc() size. |
| |
| Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com |
| Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()") |
| Signed-off-by: David Rientjes <rientjes@google.com> |
| Reviewed-by: Andrew Morton <akpm@linux-foundation.org> |
| Cc: Jens Axboe <axboe@kernel.dk> |
| Cc: Dave Jiang <dave.jiang@intel.com> |
| Cc: Al Viro <viro@zeniv.linux.org.uk> |
| Cc: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| kernel/relay.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/kernel/relay.c |
| +++ b/kernel/relay.c |
| @@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu |
| { |
| struct rchan_buf *buf; |
| |
| - if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) |
| + if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *)) |
| return NULL; |
| |
| buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); |