| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2721049.iK2v6rcyvW@wuerfel>
Date: Thu, 10 Nov 2016 14:18:12 +0100
From: Arnd Bergmann <arnd@...db.de>
To: Jann Horn <jann@...jh.net>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Sudip Mukherjee <sudipm.mukherjee@...il.com>,
linux-kernel@...r.kernel.org, linux-parport@...ts.infradead.org,
Andy Lutomirski <luto@...capital.net>
Subject: Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name
On Sunday, October 30, 2016 11:19:24 PM CET Jann Horn wrote:
> diff --git a/drivers/char/ppdev.c b/drivers/char/ppdev.c
> index d23368874710..6af1ce04b3da 100644
> --- a/drivers/char/ppdev.c
> +++ b/drivers/char/ppdev.c
> @@ -748,10 +748,7 @@ static int pp_release(struct inode *inode, struct file *file)
> }
>
> if (pp->pdev) {
> - const char *name = pp->pdev->name;
> -
> parport_unregister_device(pp->pdev);
> - kfree(name);
> pp->pdev = NULL;
> pr_debug(CHRDEV "%x: unregistered pardevice\n", minor);
> }
>
I took a closer look at this and found that we also leak the name
that is passed in register_device() in the same file:
name = kasprintf(GFP_KERNEL, CHRDEV "%x", minor);
...
pdev = parport_register_dev_model(port, name, &ppdev_cb, minor);
parport_register_dev_model() copies the name using kstrdup() and
we should really free it after parport_register_dev_model().
It's not a huge problem, just leaking a few bytes of memory, but
the extra kfree() probably came from this confusion.
Arnd
Powered by blists - more mailing lists