iov_iter: use kmemdup_array for dup_iter to harden against overflow#736
Open
blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
Open
iov_iter: use kmemdup_array for dup_iter to harden against overflow#736blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
blktests-ci[bot] wants to merge 1 commit intolinus-master_basefrom
Conversation
Author
|
Upstream branch: 9a9c8ce |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
70128c9 to
b85986b
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
78a4682 to
8f17195
Compare
Author
|
Upstream branch: 028ef9c |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
b85986b to
9c01aee
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
8f17195 to
6b4d829
Compare
Author
|
Upstream branch: d60bc14 |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
9c01aee to
8057705
Compare
Author
|
Upstream branch: d60bc14 |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
8057705 to
5b82972
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
6b4d829 to
ceec5ed
Compare
Author
|
Upstream branch: b4e0758 |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
5b82972 to
e971730
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
ceec5ed to
3b54e52
Compare
Author
|
Upstream branch: 6596a02 |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
e971730 to
8a4509a
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
3b54e52 to
6a0b974
Compare
Author
|
Upstream branch: 507bd4b |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
8a4509a to
e27fd09
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
6a0b974 to
59ca59b
Compare
Author
|
Upstream branch: dd6c438 |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
e27fd09 to
bd8ef90
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
2 times, most recently
from
94f0438 to
857ada9
Compare
Author
|
Upstream branch: dd6c438 |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
bd8ef90 to
9315963
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
857ada9 to
482ce5b
Compare
Author
|
Upstream branch: dca922e |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
9315963 to
d494deb
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
482ce5b to
5a9f7c7
Compare
While auditing the Linux 7.0-rc2 kernel, I identified a potential security vulnerability in the iov_iter framework's memory allocation logic. The dup_iter() function, which is exported via EXPORT_SYMBOL, currently uses kmemdup() with a raw multiplication to allocate the duplicate iovec array: new->iov = kmemdup(from->iov, nr_segs * sizeof(struct iovec), gfp); The hazard here is that dup_iter() relies on a primitive multiplication without any integrated overflow check. Since nr_segs is often derived from user-space input, this line is vulnerable to integer overflow (on 32-bit systems or via type narrowing), potentially leading to a small allocation followed by a large out-of-bounds memory copy. Furthermore, it allows for unbounded memory allocations, as the function lacks intrinsic knowledge of safe limits. On the 7.0-rc2 branch, several high-impact callchains still rely on this exported function: drivers/usb/gadget/function/f_fs.c: The ffs_epfile_read_iter() path demonstrates why relying on dup_iter() is dangerous: it performs allocation based on user input before verifying driver state. This confirms that dup_iter() must be hardened internally as it cannot assume pre-validated input. drivers/usb/gadget/legacy/inode.c: The ep_read_iter() path illustrates how dup_iter()’s lack of boundary awareness compounds resource risks. When combined with other allocations, it creates a multiplier effect for kernel memory pressure. This patch replaces kmemdup() with kmemdup_array(), which utilizes check_mul_overflow() to ensure the allocation size is calculated safely, hardening dup_iter() against malicious or malformed inputs from its callers Signed-off-by: Wang Haoran <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]>
Author
|
Upstream branch: e75a43c |
blktests-ci
Bot
force-pushed
the
series/1080485=>linus-master
branch
from
d494deb to
f559dca
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: iov_iter: use kmemdup_array for dup_iter to harden against overflow
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1080485