lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 20 Oct 2014 21:38:27 +0000
From:	Hartley Sweeten <>
To:	Ian Abbott <>,
CC:	Greg Kroah-Hartman <>,
	"" <>,
	"" <>
Subject: RE: [PATCH] staging: comedi: fix memory leak / bad pointer freeing
 for chanlist

On Monday, October 20, 2014 7:11 AM, Ian Abbott wrote:
> As a follow-up to commit 6cab7a37f5c04 ("staging: comedi: (regression)
> channel list must be set for COMEDI_CMD ioctl"), Hartley Sweeten pointed
> out another couple of bugs stemming from commit 6cab7a37f5c04 ("staging:
> comedi: comedi_fops: introduce __comedi_get_user_chanlist()").
> Firstly, `do_cmdtest_ioctl()` never frees the kernel copy of the user
> chanlist allocated by `__comedi_get_user_chanlist()`, so that memory is
> leaked.  Fix it by freeing the allocated kernel memory pointed to by
> `cmd.chanlist` before that pointer is overwritten with its original
> pointer to user memory before `cmd` is copied back to user-space.
> Secondly, if `__comedi_get_user_chanlist()` returns an error,
> `cmd->chanlist` is left unchanged and in fact will be a pointer to user
> memory.  This causes `do_cmd_ioctl()` to `goto cleanup` and call
> `do_become_nonbusy()` which would attempt to free the memory pointed to
> by the user-space pointer.  Fix it by setting `cmd->chanlist` to NULL at
> the start of `__comedi_get_user_chanlist()`.
> Fixes: c6cd0eefb27b ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()")
> Reported-by: H Hartley Sweeten <>
> Cc: <> # 3.15.y 3.16.y 3.17.y: 6cab7a37f5c04
> Cc: <> # 3.15.y 3.16.y 3.17.y
> ---
> Greg, this patch applies to your "staging-linus" branch.
> ---
>  drivers/staging/comedi/comedi_fops.c | 3 +++
>  1 file changed, 3 insertions(+)
> diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
> index a9b7fe5..a1788e8 100644
> --- a/drivers/staging/comedi/comedi_fops.c
> +++ b/drivers/staging/comedi/comedi_fops.c
> @@ -1462,6 +1462,7 @@ static int __comedi_get_user_chanlist(struct comedi_device *dev,
>  	unsigned int *chanlist;
>  	int ret;
> +	cmd->chanlist = NULL;
>  	chanlist = memdup_user(user_chanlist,
>  			       cmd->chanlist_len * sizeof(unsigned int));
>  	if (IS_ERR(chanlist))

I don't think this covers all the problems in your second issue above.

It does fix the attempt to free the memory pointed to by the user-space pointer
if the memdub_user() fails.

But in do_cmd_ioctl() we still have an issue if the s->do_cmdtest() fails or
the CMDF_BOGUS flag is set. There we restore the users cmd.chanlist
pointer to allow copy_to_user() to return the cmd/ But the kernel allocated
chanlist is not freed. The goto cleanup will again try to free the user-space

The remaining goto cleanup jumps will correctly free the kernel allocated
pointer stored in cmd.chanlist.

> @@ -1615,6 +1616,8 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
>  	ret = s->do_cmdtest(dev, s, &cmd);
> +	kfree(cmd.chanlist);	/* free kernel copy of user chanlist */
> +
>  	/* restore chanlist pointer before copying back */
>  	cmd.chanlist = (unsigned int __force *)user_chanlist;

This one does fix the issue in do_cmdtest_ioctl().


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists