Skip to content

Commit

Permalink
kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
Browse files Browse the repository at this point in the history 
chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
of chan->n_subbufs * sizeof(size_t *).

kmalloc_slab() will generate a warning when this fails if
chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.

Limit chan->n_subbufs to the maximum allowed kmalloc() size.

Link: http://lkml.kernel.org/r/[email protected]
Fixes: f6302f1 ("relay: prevent integer overflow in relay_open()")
Signed-off-by: David Rientjes <[email protected]>
Reviewed-by: Andrew Morton <[email protected]>
Cc: Jens Axboe <[email protected]>
Cc: Dave Jiang <[email protected]>
Cc: Al Viro <[email protected]>
Cc: Dan Carpenter <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@rientjes @torvalds
rientjes authored and torvalds committed Feb 21, 2018
1 parent 9c4e6b1 commit 88913bd
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion kernel/relay.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
{
struct rchan_buf *buf;

if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
return NULL;

buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
Expand Down

0 comments on commit 88913bd

Please sign in to comment.