lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 19 Jul 2017 12:21:23 +0800
From:   shuwang@...hat.com
To:     bp@...en8.de, tglx@...utronix.de, mingo@...hat.com, hpa@...or.com
Cc:     x86@...nel.org, linux-kernel@...r.kernel.org, liwang@...hat.com,
        chuhu@...hat.com, Shu Wang <shuwang@...hat.com>
Subject: [PATCH] x86/microcode/AMD: fix memleak in update_cache()

From: Shu Wang <shuwang@...hat.com>

Found this issue by kmemleak. The mem is allocated in
verify_and_add_patch(), passed to update_cache(patch),
and just dropped the reference without free
if (p->patch_id >= new_patch->patch_id)
    return;

unreferenced object 0xffff88010e780b40 (size 32):
  comm "bash", pid 860, jiffies 4294690939 (age 29.297s)
  backtrace:
    [<ffffffff8176166a>] kmemleak_alloc+0x4a/0xa0
    [<ffffffff8121801a>] kmem_cache_alloc_trace+0xca/0x1d0
    [<ffffffff81050d60>] load_microcode_amd.isra.0+0x1d0/0x400
    [<ffffffff81051053>] request_microcode_amd+0xc3/0x160
    [<ffffffff8104eef1>] reload_store+0xe1/0x170
    [<ffffffff814dd228>] dev_attr_store+0x18/0x30
    [<ffffffff812ce8ca>] sysfs_kf_write+0x3a/0x50
    [<ffffffff812ce38f>] kernfs_fop_write+0xff/0x180
    [<ffffffff81242307>] __vfs_write+0x37/0x170
    [<ffffffff81243892>] vfs_write+0xb2/0x1b0
    [<ffffffff81244ec5>] SyS_write+0x55/0xc0
    [<ffffffff81003857>] do_syscall_64+0x67/0x150
    [<ffffffff8176d3e7>] return_from_SYSCALL_64+0x0/0x6a
    [<ffffffffffffffff>] 0xffffffffffffffff

(gdb) list *0xffffffff81050d60
0xffffffff81050d60 is in load_microcode_amd
              (arch/x86/kernel/cpu/microcode/amd.c:616).

Signed-off-by: Shu Wang <shuwang@...hat.com>
---
 arch/x86/kernel/cpu/microcode/amd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index 21b1857..c6daec4 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -400,9 +400,12 @@ static void update_cache(struct ucode_patch *new_patch)
 
 	list_for_each_entry(p, &microcode_cache, plist) {
 		if (p->equiv_cpu == new_patch->equiv_cpu) {
-			if (p->patch_id >= new_patch->patch_id)
+			if (p->patch_id >= new_patch->patch_id) {
 				/* we already have the latest patch */
+				kfree(new_patch->data);
+				kfree(new_patch);
 				return;
+			}
 
 			list_replace(&p->plist, &new_patch->plist);
 			kfree(p->data);
-- 
2.5.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ