seq_file: disallow extremely large seq buffer allocations

stable inclusion from stable-5.10.52 commit 174c34d9cda1b5818419b8f5a332ced10755e52f bugzilla: 331 CVE: CVE-2021-33909 --------------------------------------------------------------- commit 8cae8cd8 upstream. There is no reasonable need for a buffer larger than this, and it avoids int overflow pitfalls. Fixes: 058504ed ("fs/seq_file: fallback to vmalloc allocation") Suggested-by: N Al Viro <viro@zeniv.linux.org.uk> Reported-by: N Qualys Security Advisory <qsa@qualys.com> Signed-off-by: N Eric Sandeen <sandeen@redhat.com> Cc: stable@kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

seq_file: disallow extremely large seq buffer allocations
stable inclusion from stable-5.10.52 commit 174c34d9cda1b5818419b8f5a332ced10755e52f bugzilla: 331 CVE: CVE-2021-33909 --------------------------------------------------------------- commit 8cae8cd8 upstream. There is no reasonable need for a buffer larger than this, and it avoids int overflow pitfalls. Fixes: 058504ed ("fs/seq_file: fallback to vmalloc allocation") Suggested-by: N Al Viro <viro@zeniv.linux.org.uk> Reported-by: N Qualys Security Advisory <qsa@qualys.com> Signed-off-by: N Eric Sandeen <sandeen@redhat.com> Cc: stable@kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
59470176 · Eric Sandeen · Zheng Zengkai · 3965519b · 59470176
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

fs/seq_file.c fs/seq_file.c +3 -0

未找到文件。
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -32,6 +32,9 @@ static void seq_set_overflow(struct seq_file *m)

 static void *seq_buf_alloc(unsigned long size)
 {
+	if (unlikely(size > MAX_RW_COUNT))
+		return NULL;
+
 	return kvmalloc(size, GFP_KERNEL_ACCOUNT);
 }