Re: [PATCH -next] mm: delete oversized WARN_ON() in kvmalloc() calls
From: Jason Gunthorpe
Date: Thu Dec 02 2021 - 12:03:46 EST
On Wed, Dec 01, 2021 at 07:46:01PM -0800, Kees Cook wrote:
> If we're rejecting the value, then it's still a pathological size, so
> shouldn't the check be happening in the caller? I think the WARN is
> doing exactly what it was supposed to do: find the places where bad
> sizes can reach vmalloc.
I think it meshes very poorly with the overflow work:
p = kzalloc(struct_size(p, regions, num_regions), GFP_KERNEL);
If num_regions is user controlled data why should the calling driver
hvae to somehow sanitize num_regions (without bugs!) instead of
relying on struct_size() and kzalloc() to contain all the sanitation?
What you are suggesting just pushes security sensitive coding into
drivers, which I think is the opposite of what we all want?
Jason