lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Oct 2022 19:54:30 -0700 From: Kees Cook <keescook@...omium.org> To: Alexei Starovoitov <ast@...nel.org> Cc: Kees Cook <keescook@...omium.org>, Daniel Borkmann <daniel@...earbox.net>, John Fastabend <john.fastabend@...il.com>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Song Liu <song@...nel.org>, Yonghong Song <yhs@...com>, KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, bpf@...r.kernel.org, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: [PATCH bpf-next v2 1/3] bpf/verifier: Fix potential memory leak in array reallocation If an error (NULL) is returned by krealloc(), callers of realloc_array() were setting their allocation pointers to NULL, but on error krealloc() does not touch the original allocation. This would result in a memory resource leak. Instead, free the old allocation on the error handling path. Cc: Alexei Starovoitov <ast@...nel.org> Cc: Daniel Borkmann <daniel@...earbox.net> Cc: John Fastabend <john.fastabend@...il.com> Cc: Andrii Nakryiko <andrii@...nel.org> Cc: Martin KaFai Lau <martin.lau@...ux.dev> Cc: Song Liu <song@...nel.org> Cc: Yonghong Song <yhs@...com> Cc: KP Singh <kpsingh@...nel.org> Cc: Stanislav Fomichev <sdf@...gle.com> Cc: Hao Luo <haoluo@...gle.com> Cc: Jiri Olsa <jolsa@...nel.org> Cc: bpf@...r.kernel.org Signed-off-by: Kees Cook <keescook@...omium.org> --- kernel/bpf/verifier.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 014ee0953dbd..eb8c34db74c7 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1027,12 +1027,17 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t */ static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size) { + void *new_arr; + if (!new_n || old_n == new_n) goto out; - arr = krealloc_array(arr, new_n, size, GFP_KERNEL); - if (!arr) + new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL); + if (!new_arr) { + kfree(arr); return NULL; + } + arr = new_arr; if (new_n > old_n) memset(arr + old_n * size, 0, (new_n - old_n) * size); -- 2.34.1
Powered by blists - more mailing lists