Ben Wiederhake fbb85f9b2f Kernel: Refuse excessively long iovec list, also in readv ...

This bug is a good example why copy-paste code should eventually be eliminated
from the code base: Apparently the code was copied from read.cpp before
c6027ed7cc, so the same bug got introduced here.

To recap: A malicious program can ask the Kernel to prepare sys-ing to
a huge amount of iovecs. The Kernel must first copy all the vector locations
into 'vecs', and before that allocates an arbitrary amount of memory:
    vecs.resize(iov_count);
This can cause Kernel memory exhaustion, triggered by any malicious userland
program.

2021-02-15 22:09:01 +01:00

4.4 KiB

Raw Blame History

View Raw