[PATCH] tomoyo: prevent bad buffer size in tracing_cpumask_write

From: Lizhi Xu
Date: Mon Dec 16 2024 - 03:20:43 EST

Next message: Dmitry Baryshkov: "[PATCH] drm/msm/dpu: correct LM pairing for SM6150"
Previous message: Yasin Lee: "Re: [PATCH] iio: proximity: hx9023s: Added firmware file parsing functionality"
Next in thread: Tetsuo Handa: "Re: [PATCH] tomoyo: prevent bad buffer size in tracing_cpumask_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

User input a too large buffer size 0xfffffdeful, although it is truncated to
MAX_RW_COUNT in vfs_write, its value is still too large, causing warning when
allocating memory in tomoyo_write_control.

Add a check for it to avoid this case.

Reported-by: syzbot+7536f77535e5210a5c76@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
Tested-by: syzbot+7536f77535e5210a5c76@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Lizhi Xu <lizhi.xu@xxxxxxxxxxxxx>
---
security/tomoyo/common.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 5c7b059a332a..f63388c2fffd 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2654,6 +2654,8 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,

if (!head->write)
return -EINVAL;
+ if (avail_len > KMALLOC_MAX_SIZE)
+ return -EINVAL;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
cp0 = head->write_buf;
--
2.43.0

Next message: Dmitry Baryshkov: "[PATCH] drm/msm/dpu: correct LM pairing for SM6150"
Previous message: Yasin Lee: "Re: [PATCH] iio: proximity: hx9023s: Added firmware file parsing functionality"
Next in thread: Tetsuo Handa: "Re: [PATCH] tomoyo: prevent bad buffer size in tracing_cpumask_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]