From: Eric Sandeen <sandeen@redhat.com>
Subject: seq_file: Disallow extremely large seq buffer allocations
References: bsc#1188062, CVE-2021-33909
Patch-mainline: v5.14-rc3
Git-commit: 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b
There is no reasonable need for a buffer larger than this,
and it avoids int overflow pitfalls.
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
---
diff --git a/fs/seq_file.c b/fs/seq_file.c
index 5059248..d6aacba 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -32,6 +32,9 @@ static void seq_set_overflow(struct seq_file *m)
static void *seq_buf_alloc(unsigned long size)
{
+ if (unlikely(size > MAX_RW_COUNT))
+ return NULL;
+
return kvmalloc(size, GFP_KERNEL_ACCOUNT);
}