Re: [PATCH] fs/proc/kcore.c: Omit kernel text area for hardened usercopy feature

[Linus Torvalds]

On Wed, Sep 7, 2016 at 9:38 AM, Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:
>>
>> -                             n = copy_to_user(buffer, (char *)start, tsz);
>> +                             buf = kzalloc(tsz, GFP_KERNEL);
>
> You have to add some limit and a loop, otherwise a user can eat all kernel memory,
> or copies > KMALLOC_MAX wouldn't work. Probably only get a single page.

'start' and 'tsz' is already chunked to be aligned pages (well, as
aligned as they can be: the beginning and end obviously won't be).
Above the loop:

        if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
                tsz = buflen;

and then inside the loop:

                tsz = (buflen > PAGE_SIZE ? PAGE_SIZE : buflen);

so it's already limited to one page.

That said, it *might* be worth moving the temporary allocation to the
top, or even to move it to open_kcore(). It used to be a special case
for just the vmalloc region, now it's always done.

So instead of having two different copies of the same special case for
the two different cases, why not try to unify them and just have one
common (page-sized) buffer allocation?

                 Linus