lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1395503588.2770.69.camel@deadeye.wl.decadent.org.uk>
Date:	Sat, 22 Mar 2014 15:53:08 +0000
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Patrick Lai <plai@...eaurora.org>,
	Mark Brown <broonie@...aro.org>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH 3.13 110/149] ASoC: pcm: free path list before exiting
 from error conditions

On Thu, 2014-03-20 at 17:04 -0700, Greg Kroah-Hartman wrote:
> 3.13-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Patrick Lai <plai@...eaurora.org>
> 
> commit e4ad1accb28d0ed8cea6f12395d58686ad344ca7 upstream.
> 
> dpcm_path_get() allocates dynamic memory to hold path list.
> Corresponding dpcm_path_put() must be called to free the memory.
> dpcm_path_put() is not called under several error conditions.
> This leads to memory leak.

This is broken.  dpcm_path_get() may return -ENOMEM and not initialise
the list at all.

If snd_soc_dapm_dai_get_connected_widgets() can fail (I don't think it
can) then dpcm_path_get() should be responsible for freeing the list
before returning.

[...]
> --- a/sound/soc/soc-pcm.c
> +++ b/sound/soc/soc-pcm.c
[...]
> @@ -1979,6 +1981,7 @@ static int dpcm_fe_dai_open(struct snd_p
>  	fe->dpcm[stream].runtime = fe_substream->runtime;
>  
>  	if (dpcm_path_get(fe, stream, &list) <= 0) {
> +		dpcm_path_put(&list);

This is the one place where a memory leak seems to be possible, but the
< 0 and == 0 cases need to be distinguished.

Greg, please drop this until it is fixed properly upstream.

Ben.

>  		dev_dbg(fe->dev, "ASoC: %s no valid %s route\n",
>  			fe->dai_link->name, stream ? "capture" : "playback");
>  	}

-- 
Ben Hutchings
I'm not a reverse psychological virus.  Please don't copy me into your sig.

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ