| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87868186-c4a9-88fb-bcd3-c5f226c50e59@suse.com>
Date: Tue, 24 Sep 2019 10:06:30 +0300
From: Nikolay Borisov <nborisov@...e.com>
To: Navid Emamdoost <navid.emamdoost@...il.com>
Cc: Chris Mason <clm@...com>, David Sterba <dsterba@...e.com>,
Josef Bacik <josef@...icpanda.com>, emamd001@....edu,
kjlu@....edu, smccaman@....edu, linux-btrfs@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] btrfs: prevent memory leak
On 24.09.19 г. 1:34 ч., Navid Emamdoost wrote:
> In btrfsic_mount if btrfsic_dev_state_alloc fails the allocated state
> will be leaked. It needs to be released on error handling path.
>
> Signed-off-by: Navid Emamdoost <navid.emamdoost@...il.com>
NAK.
The allocated state could have been added to a btrfsic_dev_state which
in turn is linked by btrfsic_dev_state_hashtable_add. So when later
ds->state is dereferenced it will case a UAF and likely result in crash.
Looking at the integrity code I also don't like how it's structured e.g.
if a memory error occurs then only some devices will be added to the
btrfsic_dev_State_hashtable and the super block is not going to be
validated at all.
> ---
> fs/btrfs/check-integrity.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c
> index 0b52ab4cb964..8a77b0cb2db3 100644
> --- a/fs/btrfs/check-integrity.c
> +++ b/fs/btrfs/check-integrity.c
> @@ -2941,6 +2941,7 @@ int btrfsic_mount(struct btrfs_fs_info *fs_info,
> if (NULL == ds) {
> pr_info("btrfs check-integrity: kmalloc() failed!\n");
> mutex_unlock(&btrfsic_mutex);
> + kvfree(state);
> return -ENOMEM;
> }
> ds->bdev = device->bdev;
>
Powered by blists - more mailing lists