lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <201905242302.139A912@keescook>
Date:   Fri, 24 May 2019 23:04:25 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Jon Hunter <jonathanh@...dia.com>,
        Greg KH <gregkh@...uxfoundation.org>
Cc:     Gen Zhang <blackgod016574@...il.com>, jslaby@...e.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] consolemap: Fix a memory leaking bug in
 drivers/tty/vt/consolemap.c

On Fri, May 24, 2019 at 10:37:59AM +0100, Jon Hunter wrote:
> Kees,
> 
> On 23/05/2019 17:54, Kees Cook wrote:
> > On Thu, May 23, 2019 at 08:34:52AM +0800, Gen Zhang wrote:
> >> In function con_insert_unipair(), when allocation for p2 and p1[n]
> >> fails, ENOMEM is returned, but previously allocated p1 is not freed, 
> >> remains as leaking memory. Thus we should free p1 as well when this
> >> allocation fails.
> >>
> >> Signed-off-by: Gen Zhang <blackgod016574@...il.com>
> > 
> > As far as I can see this is correct, as it's just restoring the prior
> > state before the p1 allocation.
> 
> Are you sure this is correct? It looks like p1 is only allocated if
> p->uni_pgdir[n = unicode >> 11] == NULL.

Thanks, yes, I looked more closely, and this is wrong. It's probably
fine to leave it as it was (since it appears to just be allocating
on demand). If we really want to restore the state on failure, we
also can't re-use "n", which is no longer valid. Here, I think,
would be a complete patch to check for allocation and use a separate
index for the other array:


diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
index b28aa0d289f8..5f77cffc53b8 100644
--- a/drivers/tty/vt/consolemap.c
+++ b/drivers/tty/vt/consolemap.c
@@ -474,7 +474,8 @@ static int con_unify_unimap(struct vc_data *conp, struct uni_pagedir *p)
 static int
 con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
 {
-	int i, n;
+	int i, n, high;
+	bool p1_alloced = false;
 	u16 **p1, *p2;
 
 	p1 = p->uni_pgdir[n = unicode >> 11];
@@ -482,14 +483,22 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
 		p1 = p->uni_pgdir[n] = kmalloc_array(32, sizeof(u16 *),
 						     GFP_KERNEL);
 		if (!p1) return -ENOMEM;
+		p1_alloced = true;
 		for (i = 0; i < 32; i++)
 			p1[i] = NULL;
 	}
 
-	p2 = p1[n = (unicode >> 6) & 0x1f];
+	p2 = p1[high = (unicode >> 6) & 0x1f];
 	if (!p2) {
-		p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL);
-		if (!p2) return -ENOMEM;
+		p2 = p1[high] = kmalloc_array(64, sizeof(u16), GFP_KERNEL);
+		if (!p2) {
+			if (p1_alloced) {
+				kfree(p1);
+				p->uni_pgdir[n] = NULL;
+			}
+			return -ENOMEM;
+		}
+
 		memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */
 	}
 

But, frankly, probably the patch should just be removed...

-Kees

> 
> I only mention this because I have seen a few patches from Gen today
> regarding memory leaks and devm_kzalloc() that are not correct.
> 
> > Reviewed-by: Kees Cook <keescook@...omium.org>
> > 
> >> ---
> >> diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
> >> index b28aa0d..79fcc96 100644
> >> --- a/drivers/tty/vt/consolemap.c
> >> +++ b/drivers/tty/vt/consolemap.c
> >> @@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
> >>  	p2 = p1[n = (unicode >> 6) & 0x1f];
> >>  	if (!p2) {
> >>  		p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL);
> >> -		if (!p2) return -ENOMEM;
> >> +		if (!p2) {
> >> +			kfree(p1);
> >> +			p->uni_pgdir[n] = NULL;
> >> +			return -ENOMEM;
> >> +		}
> >>  		memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */
> >>  	}
> >>  
> >> ---
> 
> Cheers
> Jon
> 
> -- 
> nvpublic

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ