commit cacc06215271104b40773c99547c506095db6ad4
author Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Mon Nov 30 14:32:54 2015 -0200
committer David S. Miller <davem@davemloft.net> Wed Dec 02 23:39:46 2015 -0500
tree dfe97a192eed6a74dc5e2518d0d2662a301f12a9
parent 38ee8fb67c3457f36f5137073c4b8ac2436d2393

sctp: use GFP_USER for user-controlled kmalloc

Dmitry Vyukov reported that the user could trigger a kernel warning by
using a large len value for getsockopt SCTP_GET_LOCAL_ADDRS, as that
value directly affects the value used as a kmalloc() parameter.

This patch thus switches the allocation flags from all user-controllable
kmalloc size to GFP_USER to put some more restrictions on it and also
disables the warn, as they are not necessary.

Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/sctp/socket.c

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 5e35ef3..f6161e3 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -972,7 +972,7 @@
 		return -EFAULT;
 
 	/* Alloc space for the address array in kernel memory.  */
-	kaddrs = kmalloc(addrs_size, GFP_KERNEL);
+	kaddrs = kmalloc(addrs_size, GFP_USER | __GFP_NOWARN);
 	if (unlikely(!kaddrs))
 		return -ENOMEM;
 
@@ -4928,7 +4928,7 @@
 	to = optval + offsetof(struct sctp_getaddrs, addrs);
 	space_left = len - offsetof(struct sctp_getaddrs, addrs);
 
-	addrs = kmalloc(space_left, GFP_KERNEL);
+	addrs = kmalloc(space_left, GFP_USER | __GFP_NOWARN);
 	if (!addrs)
 		return -ENOMEM;