lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 1 Jul 2007 01:16:51 +0200
From:	Jesper Juhl <jesper.juhl@...il.com>
To:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Cc:	David Chinner <dgc@....com>, xfs-masters@....sgi.com,
	xfs@....sgi.com, Andrew Morton <akpm@...ux-foundation.org>,
	Jesper Juhl <jesper.juhl@...il.com>
Subject: [PATCH][XFS][resend] fix memory leak in xfs_inactive()

(this is back from May 16 2007, resending since it doesn't look like 
the patch ever made it in anywhere)


The Coverity checker found a memory leak in xfs_inactive().

The offending code is this bit :

1671            tp = xfs_trans_alloc(mp, XFS_TRANS_INACTIVE);

At conditional (1): "truncate != 0" taking true path

1672            if (truncate) {
1673                    /*
1674                     * Do the xfs_itruncate_start() call before
1675                     * reserving any log space because itruncate_start
1676                     * will call into the buffer cache and we can't
1677                     * do that within a transaction.
1678                     */
1679                    xfs_ilock(ip, XFS_IOLOCK_EXCL);
1680
1681                    error = xfs_itruncate_start(ip, XFS_ITRUNC_DEFINITE, 0);

At conditional (2): "error != 0" taking true path

1682                    if (error) {
1683                            xfs_iunlock(ip, XFS_IOLOCK_EXCL);

Event leaked_storage: Returned without freeing storage "tp"
Also see events: [alloc_fn][var_assign]

1684                            return VN_INACTIVE_CACHE;
1685                    }

So, the code allocates a transaction, but in the case where 'truncate' is !=0 and xfs_itruncate_start(ip, XFS_ITRUNC_DEFINITE, 0); happens to return an error, we'll just return from the function without dealing with the memory allocated byxfs_trans_alloc() and assigned to 'tp', thus it'll be orphaned/leaked - not good.

The bug was introduced by this commit:
http://git2.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d3cf209476b72c83907a412b6708c5e498410aa7

The patch below is

From: Dave Chinner <dgc@....com>
Signed-off-by: Jesper Juhl <jesper.juhl@...il.com>
---
 fs/xfs/xfs_vnodeops.c |    1 +
 1 file changed, 1 insertion(+)

Index: 2.6.x-xfs-new/fs/xfs/xfs_vnodeops.c
===================================================================
--- 2.6.x-xfs-new.orig/fs/xfs/xfs_vnodeops.c	2007-05-11 16:04:03.000000000 +1000
+++ 2.6.x-xfs-new/fs/xfs/xfs_vnodeops.c	2007-05-17 12:37:25.671399078 +1000
@@ -1710,6 +1710,7 @@ xfs_inactive(
 
 		error = xfs_itruncate_start(ip, XFS_ITRUNC_DEFINITE, 0);
 		if (error) {
+			xfs_trans_cancel(tp, 0);
 			xfs_iunlock(ip, XFS_IOLOCK_EXCL);
 			return VN_INACTIVE_CACHE;
 		}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ