lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Fri, 11 Apr 2014 15:33:03 +0200
From:	Mateusz Guzik <mguzik@...hat.com>
To:	"Wang, Xiaoming" <xiaoming.wang@...el.com>
Cc:	davem@...emloft.net, kuznet@....inr.ac.ru, jmorris@...ei.org,
	yoshfuji@...ux-ipv6.org, kaber@...sh.net, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, chuansheng.liu@...el.com,
	dongxing.zhang@...el.com, pmatouse@...hat.com
Subject: Re: [PATCH] net: ipv4: current group_info should be put after using.

On Fri, Apr 11, 2014 at 10:35:33AM +0200, Mateusz Guzik wrote:
> On Fri, Apr 11, 2014 at 01:37:08PM -0400, Wang, Xiaoming wrote:
> > There is a memory leak in ping. Current group_info had been got in 
> > ping_init_sock and group_info->usage increased. 
> > But the usage hasn't decreased anywhere in ping.
> > This will make this group_info never freed and cause memory leak.
> > 
> 
> Memory leak is only one of possible side-effects, thus I believe commit
> message should be adjusted.
> 
> This is a typical refcount leak exploitable by unprivileged users, so
> side effects can range from nothing through memory leaks and crashes to
> possibly privilege escalation.
> 
> That said losing ' and cause memory leak' from your commit message
> would be fine in my opinion.
> 

Huh, not sure why I wrote that last sentence, it does not make much
sense. Sorry.

There is a pending CVE request for this bug:
http://seclists.org/oss-sec/2014/q2/97

The bug was introduced with:
commit c319b4d76b9e583a5d88d6bf190e079c4e43213d
Author: Vasiliy Kulikov <segoon@...nwall.com>
Date:   Fri May 13 10:01:00 2011 +0000

    net: ipv4: add IPPROTO_ICMP socket kind

starting with 3.0 kernel.


> See also a nit below.
> 
> > ---
> >  net/ipv4/ping.c |   11 ++++++++---
> >  1 files changed, 8 insertions(+), 3 deletions(-)
> > 
> > diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
> > index f4b19e5..2af7b1f 100644
> > --- a/net/ipv4/ping.c
> > +++ b/net/ipv4/ping.c
> > @@ -255,23 +255,28 @@ int ping_init_sock(struct sock *sk)
> >  	struct group_info *group_info = get_current_groups();
> >  	int i, j, count = group_info->ngroups;
> >  	kgid_t low, high;
> > +	int ret = 0;
> >  
> >  	inet_get_ping_group_range_net(net, &low, &high);
> >  	if (gid_lte(low, group) && gid_lte(group, high))
> > -		return 0;
> > +		goto out_release_group;
> >  
> 
> Since group_info is not even used here maybe it would be better to leave
> return 0 as it is and call get_current_groups before the loop?
> 
> >  	for (i = 0; i < group_info->nblocks; i++) {
> >  		int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
> >  		for (j = 0; j < cp_count; j++) {
> >  			kgid_t gid = group_info->blocks[i][j];
> >  			if (gid_lte(low, gid) && gid_lte(gid, high))
> > -				return 0;
> > +				goto out_release_group;
> >  		}
> >  
> >  		count -= cp_count;
> >  	}
> >  
> > -	return -EACCES;
> > +	ret = -EACCES;
> > +
> > +out_release_group:
> > +	put_group_info(group_info);
> > +	return ret;
> >  }
> >  EXPORT_SYMBOL_GPL(ping_init_sock);
> >  
> 
> -- 
> Mateusz Guzik

-- 
Mateusz Guzik
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists