lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 21 Mar 2016 10:02:42 +0200
From:	Alexander Shishkin <alexander.shishkin@...ux.intel.com>
To:	Leon Yu <chianglungyu@...il.com>, linux-kernel@...r.kernel.org
Cc:	Leon Yu <chianglungyu@...il.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...hat.com>,
	Arnaldo Carvalho de Melo <acme@...nel.org>,
	stable@...r.kernel.org
Subject: Re: [PATCH] perf: fix event leak when perf_event_open() failed to create event_file

Leon Yu <chianglungyu@...il.com> writes:

> If something went wrong in anon_inode_getfile, event_file will be set to
> non-zero error number and able to bypass the NULL test afterward.
>
> Consolidate the error path by testing event_file with handly
> IS_ERR_OR_NULL() helper since we do want to free event in both cases.
>
> Signed-off-by: Leon Yu <chianglungyu@...il.com>
> Fixes: 130056275ade ("perf: Do not double free")
> Cc: <stable@...r.kernel.org> # v4.5
> ---
>  kernel/events/core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 6146148..5f2e19f 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -8617,7 +8617,7 @@ err_alloc:
>  	 * If event_file is set, the fput() above will have called ->release()
>  	 * and that will take care of freeing the event.
>  	 */
> -	if (!event_file)
> +	if (IS_ERR_OR_NULL(event_file))
>  		free_event(event);

By this time, we have already checked for IS_ERR(event_file) once, why
not just fix it up there like so:

---
From: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
Date: Mon, 21 Mar 2016 09:55:09 +0200
Subject: perf: Don't leak event in the syscall error path

In the error path, event_file not being NULL is used to determine
whether the event itself still needs to be free'd, so fix it up to avoid
leaking.

Reported-by: Leon Yu <chianglungyu@...il.com>
Fixes: 130056275ade ("perf: Do not double free")
Signed-off-by: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
---
 kernel/events/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index ab83640a50..cc34d55f1e 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9414,6 +9414,7 @@ SYSCALL_DEFINE5(perf_event_open,
 					f_flags);
 	if (IS_ERR(event_file)) {
 		err = PTR_ERR(event_file);
+		event_file = NULL;
 		goto err_context;
 	}
 
-- 
2.7.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ