lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 4 Mar 2019 20:47:42 +0800
From:   maowenan <maowenan@...wei.com>
To:     David Miller <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>, <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        <kuznet@....inr.ac.ru>
Subject: question about memory leak in ip_mc_del1_src

Hi,

There is one report shows that memory in ip_mc_msfilter.
details as below:
00:13:12 executing program 0:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_mreqn(r0, 0x0, 0x23, &(0x7f0000000400)={@...ticast2, @remote}, 0xc)
getsockopt$inet_udp_int(r0, 0x11, 0x66, &(0x7f0000000000), &(0x7f0000000040)=0x4)
setsockopt$inet_msfilter(r0, 0x0, 0x29, &(0x7f0000000340)={@...ticast2, @remote, 0x1, 0x2, [@dev, @remote]}, 0x18)
BUG: memory leak
unreferenced object 0xffff888366182ba0 (size 64):
  comm "softirq", pid 0, jiffies 4296340851 (age 18.283s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 ac 14 14 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000003571cc08>] ip_mc_msfilter+0x4e5/0xac0 net/ipv4/igmp.c:2466
    [<00000000ffc04980>] do_ip_setsockopt.isra.3+0x2039/0x2890 net/ipv4/ip_sockglue.c:957
    [<00000000eb430827>] ip_setsockopt+0x3a/0xc0 net/ipv4/ip_sockglue.c:1246
    [<0000000027c7421b>] udp_setsockopt+0x45/0x90 net/ipv4/udp.c:2525
    [<000000004bcb55ab>] __sys_setsockopt+0x136/0x210 net/socket.c:1900
    [<00000000ff5179e9>] __do_sys_setsockopt net/socket.c:1911 [inline]
    [<00000000ff5179e9>] __se_sys_setsockopt net/socket.c:1908 [inline]
    [<00000000ff5179e9>] __x64_sys_setsockopt+0xbf/0x160 net/socket.c:1908
    [<000000005b4e95d0>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
    [<000000005f4b13c0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000521b1057>] 0xffffffffffffffff

BUG: memory leak
unreferenced object 0xffff888366182c00 (size 64):
  comm "softirq", pid 0, jiffies 4296340851 (age 18.283s)
  hex dump (first 32 bytes):
    a0 2b 18 66 83 88 ff ff ac 14 14 bb 00 00 00 00  .+.f............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000003571cc08>] ip_mc_msfilter+0x4e5/0xac0 net/ipv4/igmp.c:2466
    [<00000000ffc04980>] do_ip_setsockopt.isra.3+0x2039/0x2890 net/ipv4/ip_sockglue.c:957
    [<00000000eb430827>] ip_setsockopt+0x3a/0xc0 net/ipv4/ip_sockglue.c:1246
    [<0000000027c7421b>] udp_setsockopt+0x45/0x90 net/ipv4/udp.c:2525
    [<000000004bcb55ab>] __sys_setsockopt+0x136/0x210 net/socket.c:1900
    [<00000000ff5179e9>] __do_sys_setsockopt net/socket.c:1911 [inline]
    [<00000000ff5179e9>] __se_sys_setsockopt net/socket.c:1908 [inline]
    [<00000000ff5179e9>] __x64_sys_setsockopt+0xbf/0x160 net/socket.c:1908
    [<000000005b4e95d0>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
    [<000000005f4b13c0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000521b1057>] 0xffffffffffffffff

BUG: memory leak
unreferenced object 0xffff888366182d20 (size 64):
  comm "softirq", pid 0, jiffies 4296340867 (age 18.267s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 ac 14 14 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000003571cc08>] ip_mc_msfilter+0x4e5/0xac0 net/ipv4/igmp.c:2466
    [<00000000ffc04980>] do_ip_setsockopt.isra.3+0x2039/0x2890 net/ipv4/ip_sockglue.c:957
    [<00000000eb430827>] ip_setsockopt+0x3a/0xc0 net/ipv4/ip_sockglue.c:1246
    [<0000000027c7421b>] udp_setsockopt+0x45/0x90 net/ipv4/udp.c:2525
    [<000000004bcb55ab>] __sys_setsockopt+0x136/0x210 net/socket.c:1900
    [<00000000ff5179e9>] __do_sys_setsockopt net/socket.c:1911 [inline]
    [<00000000ff5179e9>] __se_sys_setsockopt net/socket.c:1908 [inline]
    [<00000000ff5179e9>] __x64_sys_setsockopt+0xbf/0x160 net/socket.c:1908
    [<000000005b4e95d0>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
    [<000000005f4b13c0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000521b1057>] 0xffffffffffffffff

BUG: memory leak
unreferenced object 0xffff888366182cc0 (size 64):
  comm "softirq", pid 0, jiffies 4296340867 (age 18.267s)
  hex dump (first 32 bytes):
    20 2d 18 66 83 88 ff ff ac 14 14 bb 00 00 00 00   -.f............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000003571cc08>] ip_mc_msfilter+0x4e5/0xac0 net/ipv4/igmp.c:2466
    [<00000000ffc04980>] do_ip_setsockopt.isra.3+0x2039/0x2890 net/ipv4/ip_sockglue.c:957
    [<00000000eb430827>] ip_setsockopt+0x3a/0xc0 net/ipv4/ip_sockglue.c:1246
    [<0000000027c7421b>] udp_setsockopt+0x45/0x90 net/ipv4/udp.c:2525
    [<000000004bcb55ab>] __sys_setsockopt+0x136/0x210 net/socket.c:1900
    [<00000000ff5179e9>] __do_sys_setsockopt net/socket.c:1911 [inline]
    [<00000000ff5179e9>] __se_sys_setsockopt net/socket.c:1908 [inline]
    [<00000000ff5179e9>] __x64_sys_setsockopt+0xbf/0x160 net/socket.c:1908
    [<000000005b4e95d0>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
    [<000000005f4b13c0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000521b1057>] 0xffffffffffffffff

BUG: memory leak
unreferenced object 0xffff8883d139c6c0 (size 64):
  comm "softirq", pid 0, jiffies 4296340884 (age 18.250s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 ac 14 14 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000003571cc08>] ip_mc_msfilter+0x4e5/0xac0 net/ipv4/igmp.c:2466
    [<00000000ffc04980>] do_ip_setsockopt.isra.3+0x2039/0x2890 net/ipv4/ip_sockglue.c:957
    [<00000000eb430827>] ip_setsockopt+0x3a/0xc0 net/ipv4/ip_sockglue.c:1246
    [<0000000027c7421b>] udp_setsockopt+0x45/0x90 net/ipv4/udp.c:2525
    [<000000004bcb55ab>] __sys_setsockopt+0x136/0x210 net/socket.c:1900
    [<00000000ff5179e9>] __do_sys_setsockopt net/socket.c:1911 [inline]
    [<00000000ff5179e9>] __se_sys_setsockopt net/socket.c:1908 [inline]
    [<00000000ff5179e9>] __x64_sys_setsockopt+0xbf/0x160 net/socket.c:1908
    [<000000005b4e95d0>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
    [<000000005f4b13c0>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000521b1057>] 0xffffffffffffffff

I have found that some suspicion:
call trace ip_mc_msfilter->ip_mc_add_src, in ip_mc_add_src(), if ip_mc_add1_src failed, ip_mc_del1_src()
will be called. Is there any memory leak after the line of "rv = 1".

	if (!psf->sf_count[MCAST_INCLUDE] && !psf->sf_count[MCAST_EXCLUDE]) {
#ifdef CONFIG_IP_MULTICAST
		struct in_device *in_dev = pmc->interface;
		struct net *net = dev_net(in_dev->dev);
#endif

		/* no more filters for this source */
		if (psf_prev)
			psf_prev->sf_next = psf->sf_next;
		else
			pmc->sources = psf->sf_next;
#ifdef CONFIG_IP_MULTICAST
		if (psf->sf_oldin &&
		    !IGMP_V1_SEEN(in_dev) && !IGMP_V2_SEEN(in_dev)) {
			psf->sf_crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
			psf->sf_next = pmc->tomb;
			pmc->tomb = psf;
			rv = 1;         //if it does not kfree(psf), will it lead to memory leak after this line?
		} else
#endif
			kfree(psf);
	}


Can I fix this to do kfree(psf) after the line of "rv = 1"?







Powered by blists - more mailing lists