| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 May 2019 13:44:33 -0700
From: Kees Cook <keescook@...omium.org>
To: Gen Zhang <blackgod016574@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org
Subject: Re: [PATCH] consolemap: Fix a memory leaking bug in
drivers/tty/vt/consolemap.c
On Tue, May 21, 2019 at 05:29:35PM +0800, Gen Zhang wrote:
> In function con_insert_unipair(), when allocation for p2 and p1[n]
> fails, ENOMEM is returned, but previously allocated p1 is not freed,
> remains as leaking memory. Thus we should free p1 as well when this
> allocation fails.
>
> Signed-off-by: Gen Zhang <blackgod016574@...il.com>
>
> ---
> diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
> index b28aa0d..47fbd73 100644
> --- a/drivers/tty/vt/consolemap.c
> +++ b/drivers/tty/vt/consolemap.c
> @@ -489,7 +489,10 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
> p2 = p1[n = (unicode >> 6) & 0x1f];
> if (!p2) {
> p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL);
> - if (!p2) return -ENOMEM;
> + if (!p2) {
> + kfree(p1);
> + return -ENOMEM;
> + }
This doesn't look safe to me: p->uni_pgdir[n] will still have a handle
to the freed memory, won't it?
(And please direct these patches to Greg, as he's the current
maintainer; I'm happy to stay CCed, of course.)
-Kees
> memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */
> }
>
--
Kees Cook
Powered by blists - more mailing lists