• Xin Long's avatar
    sctp: use memdup_user instead of vmemdup_user · 118ad2c7
    Xin Long authored
    [ Upstream commit ef82bcfa ]
    
    In sctp_setsockopt_bindx()/__sctp_setsockopt_connectx(), it allocates
    memory with addrs_size which is passed from userspace. We used flag
    GFP_USER to put some more restrictions on it in Commit cacc0621
    ("sctp: use GFP_USER for user-controlled kmalloc").
    
    However, since Commit c981f254 ("sctp: use vmemdup_user() rather
    than badly open-coding memdup_user()"), vmemdup_user() has been used,
    which doesn't check GFP_USER flag when goes to vmalloc_*(). So when
    addrs_size is a huge value, it could exhaust memory and even trigger
    oom killer.
    
    This patch is to use memdup_user() instead, in which GFP_USER would
    work to limit the memory allocation with a huge addrs_size.
    
    Note we can't fix it by limiting 'addrs_size', as there's no demand
    for it from RFC.
    
    Reported-by: syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com
    Fixes: c981f254 ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()")
    Signed-off-by: 's avatarXin Long <lucien.xin@gmail.com>
    Acked-by: 's avatarNeil Horman <nhorman@tuxdriver.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    118ad2c7
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
associola.c Loading commit data...
auth.c Loading commit data...
bind_addr.c Loading commit data...
chunk.c Loading commit data...
debug.c Loading commit data...
diag.c Loading commit data...
endpointola.c Loading commit data...
input.c Loading commit data...
inqueue.c Loading commit data...
ipv6.c Loading commit data...
objcnt.c Loading commit data...
offload.c Loading commit data...
output.c Loading commit data...
outqueue.c Loading commit data...
primitive.c Loading commit data...
proc.c Loading commit data...
protocol.c Loading commit data...
sm_make_chunk.c Loading commit data...
sm_sideeffect.c Loading commit data...
sm_statefuns.c Loading commit data...
sm_statetable.c Loading commit data...
socket.c Loading commit data...
stream.c Loading commit data...
stream_interleave.c Loading commit data...
stream_sched.c Loading commit data...
stream_sched_prio.c Loading commit data...
stream_sched_rr.c Loading commit data...
sysctl.c Loading commit data...
transport.c Loading commit data...
tsnmap.c Loading commit data...
ulpevent.c Loading commit data...
ulpqueue.c Loading commit data...