[PATCH] tomoyo: Reject excessively long lines

From: Leo Stone
Date: Sun Dec 15 2024 - 21:15:50 EST

Next message: syzbot: "Re: [syzbot] [trace?] WARNING in bitmap_parse_user"
Previous message: Stephen Rothwell: "linux-next: manual merge of the mfd tree with Linus' tree"
In reply to: syzbot: "[syzbot] [tomoyo?] WARNING in tomoyo_write_control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

syzbot creates an anonymous memory region, and then issues a
write syscall from the new memory region to a sysfs entry controlled by
tomoyo, specifying a buffer size of just under 2 GB (the actual size of
the buffer is ~32 MB). Because tomoyo_write_control will double the
size of head->write_buf every time it runs out of space for the current
line, and everything in the zero-initialized buffer is on the same line,
the function will eventually issue a kzalloc with a size that is too large,
triggering the warning.

Reject writes with excessively long lines.

Reported-by: syzbot+7536f77535e5210a5c76@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
Signed-off-by: Leo Stone <leocstone@xxxxxxxxx>
---
security/tomoyo/common.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 5c7b059a332a..0c75be949c9d 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2665,6 +2665,10 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,

if (head->w.avail >= head->writebuf_size - 1) {
const int len = head->writebuf_size * 2;
+ if (len > KMALLOC_MAX_SIZE) {
+ error = -EINVAL;
+ break;
+ }
char *cp = kzalloc(len, GFP_NOFS);

if (!cp) {
--
2.43.0

Next message: syzbot: "Re: [syzbot] [trace?] WARNING in bitmap_parse_user"
Previous message: Stephen Rothwell: "linux-next: manual merge of the mfd tree with Linus' tree"
In reply to: syzbot: "[syzbot] [tomoyo?] WARNING in tomoyo_write_control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]