git.baikalelectronics.ru Git - kernel.git/commit

author	Xin Long <lucien.xin@gmail.com>
	Wed, 20 Mar 2019 06:49:38 +0000 (14:49 +0800)
committer	David S. Miller <davem@davemloft.net>
	Wed, 20 Mar 2019 18:09:47 +0000 (11:09 -0700)
commit	0f891c6afd69dcc180cab38210eb04d0b7db7dc8
tree	ad226efc0e220034faa6f67bf2f40af834119bbd	tree \| snapshot
parent	a1e193d2fd776877b1aa05d412528e88d95322f8	commit \| diff

sctp: use memdup_user instead of vmemdup_user

In sctp_setsockopt_bindx()/__sctp_setsockopt_connectx(), it allocates
memory with addrs_size which is passed from userspace. We used flag
GFP_USER to put some more restrictions on it in Commit 7e8b0b21d8df
("sctp: use GFP_USER for user-controlled kmalloc").

However, since Commit a99c4bf67efa ("sctp: use vmemdup_user() rather
than badly open-coding memdup_user()"), vmemdup_user() has been used,
which doesn't check GFP_USER flag when goes to vmalloc_*(). So when
addrs_size is a huge value, it could exhaust memory and even trigger
oom killer.

This patch is to use memdup_user() instead, in which GFP_USER would
work to limit the memory allocation with a huge addrs_size.

Note we can't fix it by limiting 'addrs_size', as there's no demand
for it from RFC.

Reported-by: syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com
Fixes: a99c4bf67efa ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>