linux-kernel - Re: gigaset: memory leak in gigaset

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <CACT4Y+Zw7V3h_Lt9kuF=fSht5qPz0CnmdwY0p+k0qr3b0KadpQ@mail.gmail.com>
Date:	Fri, 5 Feb 2016 22:25:30 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Paul Bolle <pebolle@...cali.nl>
Cc:	Karsten Keil <isdn@...ux-pingi.de>,
	"David S. Miller" <davem@...emloft.net>,
	gigaset307x-common@...ts.sourceforge.net,
	netdev <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>
Subject: Re: gigaset: memory leak in gigaset_initcshw

On Fri, Feb 5, 2016 at 7:36 PM, Paul Bolle <pebolle@...cali.nl> wrote:
> On vr, 2016-02-05 at 17:06 +0100, Paul Bolle wrote:
>> If that would happen, then cs can be reused while the previous
>> > cs->hw.ser is not freed yet. Just a guess.
>>
>> I'll have to ponder on that a bit, sorry.
>
> This is from the hit-the-code-until-it-confesses department:
> --- a/drivers/isdn/gigaset/ser-gigaset.c
> +++ b/drivers/isdn/gigaset/ser-gigaset.c
> @@ -373,13 +373,9 @@ static void gigaset_freecshw(struct cardstate *cs)
>
>  static void gigaset_device_release(struct device *dev)
>  {
> -       struct cardstate *cs = dev_get_drvdata(dev);
> -
> -       if (!cs)
> -               return;
> +       struct ser_cardstate *scs = dev_get_drvdata(dev);
>         dev_set_drvdata(dev, NULL);
> -       kfree(cs->hw.ser);
> -       cs->hw.ser = NULL;
> +       kfree(scs);
>  }
>
>  /*
> @@ -408,7 +404,7 @@ static int gigaset_initcshw(struct cardstate *cs)
>                 cs->hw.ser = NULL;
>                 return rc;
>         }
> -       dev_set_drvdata(&cs->hw.ser->dev.dev, cs);
> +       dev_set_drvdata(&cs->hw.ser->dev.dev, scs);
>
>         tasklet_init(&cs->write_tasklet,
>                      gigaset_modem_fill, (unsigned long) cs);
>
> Does that make any difference?


Nope.
Almost 500 objects leaked in less than 10 seconds:

# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        1992   2015   2520   13    8 : tunables    0    0
  0 : slabdata    155    155      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2024   2041   2520   13    8 : tunables    0    0
  0 : slabdata    157    157      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2061   2080   2520   13    8 : tunables    0    0
  0 : slabdata    160    160      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2091   2119   2520   13    8 : tunables    0    0
  0 : slabdata    163    163      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2147   2171   2520   13    8 : tunables    0    0
  0 : slabdata    167    167      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2228   2236   2520   13    8 : tunables    0    0
  0 : slabdata    172    172      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2261   2288   2520   13    8 : tunables    0    0
  0 : slabdata    176    176      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2289   2301   2520   13    8 : tunables    0    0
  0 : slabdata    177    177      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2316   2340   2520   13    8 : tunables    0    0
  0 : slabdata    180    180      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2324   2366   2520   13    8 : tunables    0    0
  0 : slabdata    182    182      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2356   2379   2520   13    8 : tunables    0    0
  0 : slabdata    183    183      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2450   2509   2520   13    8 : tunables    0    0
  0 : slabdata    193    193      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2450   2509   2520   13    8 : tunables    0    0
  0 : slabdata    193    193      0
# cat /proc/slabinfo | egrep "^kmalloc-2048"
kmalloc-2048        2450   2509   2520   13    8 : tunables    0    0
  0 : slabdata    193    193      0