lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 30 Nov 2017 12:18:02 +0000
From:   Colin Ian King <colin.king@...onical.com>
To:     Frank Rowand <frowand.list@...il.com>,
        Pantelis Antoniou <pantelis.antoniou@...sulko.com>,
        Rob Herring <robh+dt@...nel.org>, devicetree@...r.kernel.org
Cc:     kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] of: overlay: fix memory leak of ovcs on error exit path

On 30/11/17 12:14, Frank Rowand wrote:
> On 11/29/17 14:17, Colin King wrote:
>> From: Colin Ian King <colin.king@...onical.com>
>>
>> Currently if the call to of_resolve_phandles fails then then ovcs
>> is not kfree'd on the error exit path.  Rather than try and make
>> the clean up exit path more convoluted, fix this by just kfree'ing
>> ovcs at the point of error detection and exit via the same exit
>> path.
>>
>> Detected by CoverityScan, CID#1462296 ("Resource Leak")
>>
>> Fixes: f948d6d8b792 ("of: overlay: avoid race condition between applying multiple overlays")
>> Signed-off-by: Colin Ian King <colin.king@...onical.com>
>> ---
>>  drivers/of/overlay.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
>> index 53bc9e3f0b98..6c8efe7d8cbb 100644
>> --- a/drivers/of/overlay.c
>> +++ b/drivers/of/overlay.c
>> @@ -708,8 +708,10 @@ int of_overlay_apply(struct device_node *tree, int *ovcs_id)
>>  	of_overlay_mutex_lock();
>>  
>>  	ret = of_resolve_phandles(tree);
>> -	if (ret)
>> +	if (ret) {
>> +		kfree(ovcs);
>>  		goto err_overlay_unlock;
>> +	}
>>  
>>  	mutex_lock(&of_mutex);
>>  
>>
> 
> False coverity warning.  ovcs is freed in free_overlay_changeset().
> 

The error exit path is via err_overlay_unlock:

err_overlay_unlock:
        of_overlay_mutex_unlock();

out:
        pr_debug("%s() err=%d\n", __func__, ret);

        return ret;

..so there is no call to free_overlay_changeset there.

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ