sys/linux: limit init_module size argument

Kernel tries to vmalloc whatever we pass as size and it's not accounted against memcg. As the result it can lead to massive OOM kills of everything running on the machine. Strictly saying, the same applies to finit_module with a sparse file too, but there is no simple way to handle that.
author: Dmitry Vyukov <dvyukov@google.com> 2018-10-30 17:42:18 +0100
committer: Dmitry Vyukov <dvyukov@google.com> 2018-10-30 17:42:18 +0100
commit: 4ccf7bb438737e3b0a9228178a728ddc9fc96413 (patch)
tree: ebee783ebe8a4454356050115fbf072ad5edb23c /sys/linux
parent: 06a012d997ca4a5106227bd5f8a4ae18594332ad (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/linux/init.go b/sys/linux/init.go
index a0e99f3de..cef483990 100644
--- a/sys/linux/init.go
+++ b/sys/linux/init.go
@@ -165,6 +165,13 @@ func (arch *arch) sanitizeCall(c *prog.Call) {
 		if uint64(uint32(cmd.Val)) == arch.ARCH_SET_FS {
 			cmd.Val = arch.ARCH_SET_GS
 		}
+	case "init_module":
+		// Kernel tries to vmalloc whatever we pass as size and it's not accounted against memcg.
+		// As the result it can lead to massive OOM kills of everything running on the machine.
+		// Strictly saying, the same applies to finit_module with a sparse file too,
+		// but there is no simple way to handle that.
+		sz := c.Args[1].(*prog.ConstArg)
+		sz.Val %= 1 << 20
 	case "syz_init_net_socket":
 		// Don't let it mess with arbitrary sockets in init namespace.
 		family := c.Args[0].(*prog.ConstArg)
author	Dmitry Vyukov <dvyukov@google.com>	2018-10-30 17:42:18 +0100
committer	Dmitry Vyukov <dvyukov@google.com>	2018-10-30 17:42:18 +0100
commit	4ccf7bb438737e3b0a9228178a728ddc9fc96413 (patch)
tree	ebee783ebe8a4454356050115fbf072ad5edb23c /sys/linux
parent	06a012d997ca4a5106227bd5f8a4ae18594332ad (diff)