lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Jan 2020 16:44:16 +0300
From:   Cengiz Can <cengiz@...nel.wtf>
To:     Leon Romanovsky <leon@...nel.org>,
        Saeed Mahameed <saeedm@...lanox.com>,
        Yevgeny Kliteynik <kliteyn@...lanox.com>,
        Alex Vesker <valex@...lanox.com>,
        Erez Shitrit <erezsh@...lanox.com>,
        Tariq Toukan <tariqt@...lanox.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <jakub.kicinski@...ronome.com>
Cc:     netdev@...r.kernel.org, linux-rdma@...r.kernel.org,
        linux-kernel@...r.kernel.org, Cengiz Can <cengiz@...nel.wtf>
Subject: [PATCH] net: mellanox: prevent resource leak on htbl

According to a Coverity static analysis tool,
`drivers/net/mellanox/mlx5/core/steering/dr_rule.c#63` leaks a
`struct mlx5dr_ste_htbl *` named `new_htbl` while returning from
`dr_rule_create_collision_htbl` function.

A annotated snippet of the possible resource leak follows:

```
static struct mlx5dr_ste *
dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher,
                              struct mlx5dr_matcher_rx_tx *nic_matcher,
                              u8 *hw_ste)
   /* ... */
   /* ... */

   /* Storage is returned from allocation function mlx5dr_ste_htbl_alloc. */
   /* Assigning: new_htbl = storage returned from mlx5dr_ste_htbl_alloc(..) */
        new_htbl = mlx5dr_ste_htbl_alloc(dmn->ste_icm_pool,
                                         DR_CHUNK_SIZE_1,
                                         MLX5DR_STE_LU_TYPE_DONT_CARE,
                                         0);
   /* Condition !new_htbl, taking false branch. */
        if (!new_htbl) {
                mlx5dr_dbg(dmn, "Failed allocating collision table\n");
                return NULL;
        }

        /* One and only entry, never grows */
        ste = new_htbl->ste_arr;
        mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr);
   /* Resource new_htbl is not freed or pointed-to in mlx5dr_htbl_get */
        mlx5dr_htbl_get(new_htbl);

   /* Variable new_htbl going out of scope leaks the storage it points to. */
        return ste;
```

There's a caller of this function which does refcounting and free'ing by
itself but that function also skips free'ing `new_htbl` due to missing
jump to error label. (referring to `dr_rule_create_collision_entry lines
75-77. They don't jump to `free_tbl`)

Added a `kfree(new_htbl)` just before returning `ste` pointer to fix the
leak.

Signed-off-by: Cengiz Can <cengiz@...nel.wtf>
---

This might be totally breaking the refcounting logic in the file so
please provide any feedback so I can evolve this into something more
suitable.

For the record, Coverity scan id is CID 1457773.

 drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
index e4cff7abb348..047b403c61db 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_rule.c
@@ -60,6 +60,8 @@ dr_rule_create_collision_htbl(struct mlx5dr_matcher *matcher,
 	mlx5dr_ste_set_miss_addr(hw_ste, nic_matcher->e_anchor->chunk->icm_addr);
 	mlx5dr_htbl_get(new_htbl);

+	kfree(new_htbl);
+
 	return ste;
 }

--
2.24.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ