[PATCH] tomoyo: Reject excessively long lines

[Leo Stone]

syzbot creates an anonymous memory region, and then issues a
write syscall from the new memory region to a sysfs entry controlled by
tomoyo, specifying a buffer size of just under 2 GB (the actual size of
the buffer is ~32 MB). Because tomoyo_write_control will double the
size of head->write_buf every time it runs out of space for the current
line, and everything in the zero-initialized buffer is on the same line,
the function will eventually issue a kzalloc with a size that is too large,
triggering the warning.

Reject writes with excessively long lines.

Reported-by: syzbot+7536f77535e5210a5c76 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
Signed-off-by: Leo Stone <leocstone at gmail.com>
---
 security/tomoyo/common.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 5c7b059a332a..0c75be949c9d 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2665,6 +2665,10 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
 
 		if (head->w.avail >= head->writebuf_size - 1) {
 			const int len = head->writebuf_size * 2;
+			if (len > KMALLOC_MAX_SIZE) {
+				error = -EINVAL;
+				break;
+			}
 			char *cp = kzalloc(len, GFP_NOFS);
 
 			if (!cp) {
-- 
2.43.0