From: Christian Brauner
Sent: 12 June 2020 19:28
...
if (size < 32) return -EINVAL; if (size > PAGE_SIZE) return -E2BIG;
(Tanget: what was the reason for copy_struct_from_user() not including the min/max check? I have a memory of Al objecting to having an "internal" limit?)
Al didn't want the PAGE_SIZE limit in there because there's nothing inherently wrong with copying insane amounts of memory.
The problem is really allowing a user process to allocate unbounded blocks of memory, not the copy itself.
The limit for IOW() etc is 16k - not a problem. If a 32bit size is set to just under 4GB so you really want to allocate 4GB of memory then find the request is garbage. Seems like a nice DoS attack. A 64bit size can be worse.
Potentially the limit should be in memdup_user() itself. And possibly an extra parameter giving a per-call lower? limit.
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)