linux/net/sctp
Xin Long ef82bcfa67 sctp: use memdup_user instead of vmemdup_user
In sctp_setsockopt_bindx()/__sctp_setsockopt_connectx(), it allocates
memory with addrs_size which is passed from userspace. We used flag
GFP_USER to put some more restrictions on it in Commit cacc062152
("sctp: use GFP_USER for user-controlled kmalloc").

However, since Commit c981f254cc ("sctp: use vmemdup_user() rather
than badly open-coding memdup_user()"), vmemdup_user() has been used,
which doesn't check GFP_USER flag when goes to vmalloc_*(). So when
addrs_size is a huge value, it could exhaust memory and even trigger
oom killer.

This patch is to use memdup_user() instead, in which GFP_USER would
work to limit the memory allocation with a huge addrs_size.

Note we can't fix it by limiting 'addrs_size', as there's no demand
for it from RFC.

Reported-by: syzbot+ec1b7575afef85a0e5ca@syzkaller.appspotmail.com
Fixes: c981f254cc ("sctp: use vmemdup_user() rather than badly open-coding memdup_user()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-20 11:09:47 -07:00
..
associola.c
auth.c sctp: move up sctp_auth_init_hmacs() in sctp_endpoint_init() 2019-03-08 11:42:49 -08:00
bind_addr.c
chunk.c
debug.c
diag.c
endpointola.c sctp: move up sctp_auth_init_hmacs() in sctp_endpoint_init() 2019-03-08 11:42:49 -08:00
input.c
inqueue.c
ipv6.c
Kconfig
Makefile
objcnt.c
offload.c
output.c
outqueue.c
primitive.c
proc.c
protocol.c
sm_make_chunk.c
sm_sideeffect.c
sm_statefuns.c
sm_statetable.c
socket.c sctp: use memdup_user instead of vmemdup_user 2019-03-20 11:09:47 -07:00
stream.c sctp: convert to genradix 2019-03-12 10:04:02 -07:00
stream_interleave.c sctp: convert to genradix 2019-03-12 10:04:02 -07:00
stream_sched.c
stream_sched_prio.c
stream_sched_rr.c
sysctl.c
transport.c
tsnmap.c
ulpevent.c
ulpqueue.c