Re: [PATCH -next] mm: delete oversized WARN_ON() in kvmalloc() calls

From: Jason Gunthorpe
Date: Thu Dec 02 2021 - 12:03:46 EST

Next message: Guenter Roeck: "Re: [PATCH v2 0/3] hwmon: (nct6775) Support lock by ACPI mutex"
Previous message: Guenter Roeck: "Re: [PATCH v2 2/5] MIPS: ralink: implement 'pcibios_root_bridge_prepare()'"
In reply to: Kees Cook: "Re: [PATCH -next] mm: delete oversized WARN_ON() in kvmalloc() calls"
Next in thread: Leon Romanovsky: "Re: [PATCH -next] mm: delete oversized WARN_ON() in kvmalloc() calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 01, 2021 at 07:46:01PM -0800, Kees Cook wrote:

> If we're rejecting the value, then it's still a pathological size, so
> shouldn't the check be happening in the caller? I think the WARN is
> doing exactly what it was supposed to do: find the places where bad
> sizes can reach vmalloc.

I think it meshes very poorly with the overflow work:

p = kzalloc(struct_size(p, regions, num_regions), GFP_KERNEL);

If num_regions is user controlled data why should the calling driver
hvae to somehow sanitize num_regions (without bugs!) instead of
relying on struct_size() and kzalloc() to contain all the sanitation?

What you are suggesting just pushes security sensitive coding into
drivers, which I think is the opposite of what we all want?

Jason

Next message: Guenter Roeck: "Re: [PATCH v2 0/3] hwmon: (nct6775) Support lock by ACPI mutex"
Previous message: Guenter Roeck: "Re: [PATCH v2 2/5] MIPS: ralink: implement 'pcibios_root_bridge_prepare()'"
In reply to: Kees Cook: "Re: [PATCH -next] mm: delete oversized WARN_ON() in kvmalloc() calls"
Next in thread: Leon Romanovsky: "Re: [PATCH -next] mm: delete oversized WARN_ON() in kvmalloc() calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]