Re: [PATCH] mm/mempolicy.c: Fix out of bounds write in mpol_parse_str()

From: Michal Hocko
Date: Wed Jan 15 2020 - 10:03:21 EST


On Wed 15-01-20 13:57:47, Dmitry Vyukov wrote:
> On Wed, Jan 15, 2020 at 1:54 PM Vlastimil Babka <vbabka@xxxxxxx> wrote:
> >
> > On 1/15/20 6:54 AM, Dan Carpenter wrote:
> > > What we are trying to do is change the '=' character to a NUL terminator
> > > and then at the end of the function we restore it back to an '='. The
> > > problem is there are two error paths where we jump to the end of the
> > > function before we have replaced the '=' with NUL. We end up putting
> > > the '=' in the wrong place (possibly one element before the start of
> > > the buffer).
> >
> > Bleh.
> >
> > > Reported-by: syzbot+e64a13c5369a194d67df@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> >
> > Acked-by: Vlastimil Babka <vbabka@xxxxxxx>
> >
> > CC stable perhaps? Can this (tmpfs mount options parsing AFAICS?) become
> > part of unprivileged operation in some scenarios?
>
> Yes, tmpfs can be mounted by any user inside of a user namespace.

Huh, is there any restriction though? It is certainly not nice to have
an arbitrary memory allocated without a way of reclaiming it and OOM
killer wouldn't help for shmem.
--
Michal Hocko
SUSE Labs