lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170823103836.584a5dc5@gandalf.local.home>
Date:   Wed, 23 Aug 2017 10:38:36 -0400
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Chunyu Hu <chuhu@...hat.com>
Cc:     mingo@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] tracing: Fix kmemleak in set_trigger_filter

On Mon, 14 Aug 2017 18:18:18 +0800
Chunyu Hu <chuhu@...hat.com> wrote:

> Found this kmemleak in error path when setting event trigger
> filter. The steps is as below.
> 
> cd /sys/kernel/debug/tracing/events/irq/irq_handler_entry
> echo 'enable_event:kmem:kmalloc:3 if nr_rq > 1' > trigger
> echo 'enable_event:kmem:kmalloc:3 if irq > 31' > trigger
> echo 'enable_event:kmem:kmalloc:3 if irq > ' > trigger
> 
> unreferenced object 0xffffa06e570186a0 (size 32):
>   comm "bash", pid 2521, jiffies 4335796661 (age 43872.095s)
>   hex dump (first 32 bytes):
>     00 00 00 00 01 00 00 00 00 a6 86 69 6e a0 ff ff  ...........in...
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
>     [<ffffffff97024e0a>] kmem_cache_alloc_trace+0xca/0x1d0
>     [<ffffffff96f86552>] create_filter_start.constprop.28+0x42/0x730
>     [<ffffffff96f87a0a>] create_filter+0x4a/0xc0
>     [<ffffffff96f87bac>] create_event_filter+0xc/0x10
>     [<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
>     [<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
>     [<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
>     [<ffffffff9704e117>] __vfs_write+0x37/0x170
>     [<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
>     [<ffffffff97050cd5>] SyS_write+0x55/0xc0
>     [<ffffffff96e03857>] do_syscall_64+0x67/0x150
>     [<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
>     [<ffffffffffffffff>] 0xffffffffffffffff
> unreferenced object 0xffffa06e6986a600 (size 512):
>   comm "bash", pid 2521, jiffies 4335796661 (age 43872.095s)
>   hex dump (first 32 bytes):
>     b0 59 f8 96 ff ff ff ff 00 00 00 00 00 00 00 00  .Y..............
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
>     [<ffffffff97025498>] __kmalloc+0xe8/0x220
>     [<ffffffff96f87518>] replace_preds+0x4c8/0x970
>     [<ffffffff96f87a51>] create_filter+0x91/0xc0
>     [<ffffffff96f87bac>] create_event_filter+0xc/0x10
>     [<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
>     [<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
>     [<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
>     [<ffffffff9704e117>] __vfs_write+0x37/0x170
>     [<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
>     [<ffffffff97050cd5>] SyS_write+0x55/0xc0
>     [<ffffffff96e03857>] do_syscall_64+0x67/0x150
>     [<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
>     [<ffffffffffffffff>] 0xffffffffffffffff
> unreferenced object 0xffffa06e718a7560 (size 32):
>   comm "bash", pid 2521, jiffies 4335807465 (age 43861.320s)
>   hex dump (first 32 bytes):
>     00 00 00 00 01 00 00 00 00 a2 76 5b 6e a0 ff ff  ..........v[n...
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff9756c27a>] kmemleak_alloc+0x4a/0xa0
>     [<ffffffff97024e0a>] kmem_cache_alloc_trace+0xca/0x1d0
>     [<ffffffff96f86552>] create_filter_start.constprop.28+0x42/0x730
>     [<ffffffff96f87a0a>] create_filter+0x4a/0xc0
>     [<ffffffff96f87bac>] create_event_filter+0xc/0x10
>     [<ffffffff96f88b24>] set_trigger_filter+0x84/0x130
>     [<ffffffff96f8934f>] event_enable_trigger_func+0x25f/0x340
>     [<ffffffff96f8894d>] event_trigger_write+0xfd/0x1a0
>     [<ffffffff9704e117>] __vfs_write+0x37/0x170
>     [<ffffffff9704f6a2>] vfs_write+0xb2/0x1b0
>     [<ffffffff97050cd5>] SyS_write+0x55/0xc0
>     [<ffffffff96e03857>] do_syscall_64+0x67/0x150
>     [<ffffffff97577ce7>] return_from_SYSCALL_64+0x0/0x6a
>     [<ffffffffffffffff>] 0xffffffffffffffff
> 
> Signed-off-by: Chunyu Hu <chuhu@...hat.com>
> ---
>  kernel/trace/trace_events_trigger.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
> index f2ac9d4..955c3eb 100644
> --- a/kernel/trace/trace_events_trigger.c
> +++ b/kernel/trace/trace_events_trigger.c
> @@ -739,7 +739,7 @@ int set_trigger_filter(char *filter_str,
>  	/* The filter is for the 'trigger' event, not the triggered event */
>  	ret = create_event_filter(file->event_call, filter_str, false, &filter);

The filter is allocated by create_event_filter. If that returns a
failure, then that should be the one to free it. It is bad taste to
require the calling function to require it.

-- Steve

>  	if (ret)
> -		goto out;
> +		goto out_free;
>   assign:
>  	tmp = rcu_access_pointer(data->filter);
>  
> @@ -764,6 +764,10 @@ int set_trigger_filter(char *filter_str,
>  	}
>   out:
>  	return ret;
> +
> + out_free:
> +	free_event_filter(filter);
> +	goto out;
>  }
>  
>  static LIST_HEAD(named_triggers);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ