[PATCH] kmsg: limit message size

From: Sasha Levin
Date: Sat May 05 2012 - 10:55:47 EST


There are no size checks in kmsg_write(), and we try allocating enough
memory to store everything userspace gave us, which may be too much for
kmalloc to allocate.

Furthermore, we can have an integer overflow if len==INT_MAX, in that case
we'll corrupt kernel memory.

This was tested with several userspace programs that write to kmsg, and haven't
found a case where the program attempts to write more than PAGE_SIZE.

Signed-off-by: Sasha Levin <levinsasha928@xxxxxxxxx>
---
drivers/char/mem.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index d6e9d08..c90964b 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -815,6 +815,9 @@ static ssize_t kmsg_writev(struct kiocb *iocb, const struct iovec *iv,
ssize_t ret = -EFAULT;
size_t len = iov_length(iv, count);

+ if (len > PAGE_SIZE)
+ return -E2BIG;
+
line = kmalloc(len + 1, GFP_KERNEL);
if (line == NULL)
return -ENOMEM;
--
1.7.8.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/