lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 6 Jul 2020 18:22:55 +0530
From:   Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@...il.com>
To:     christian@...uner.io
Cc:     linux-kernel@...r.kernel.org
Subject: [PATCH] pidfd: fix memory leak in pidfd_getfd()

kmemleak backtrace:

comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2  ..............o.
    b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
    [<8ff6a575>] __alloc_file+0x1e/0xe0
    [<e1479798>] alloc_empty_file+0x45/0x100
    [<727fe6eb>] alloc_file+0x23/0xf0
    [<457148ef>] alloc_file_pseudo+0x98/0x100
    [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
    [<5edc3e9b>] shmem_file_setup+0x4c/0x70
    [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
    [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
    [<62569441>] do_fast_syscall_32+0x39/0xb0
    [<3c515b7e>] do_SYSENTER_32+0x15/0x20
    [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc

comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
  hex dump (first 16 bytes):
    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
    [<b67faec5>] security_file_alloc+0x20/0x90
    [<ed849d41>] __alloc_file+0x40/0xe0
    [<e1479798>] alloc_empty_file+0x45/0x100
    [<727fe6eb>] alloc_file+0x23/0xf0
    [<457148ef>] alloc_file_pseudo+0x98/0x100
    [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
    [<5edc3e9b>] shmem_file_setup+0x4c/0x70
    [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
    [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
    [<62569441>] do_fast_syscall_32+0x39/0xb0
    [<3c515b7e>] do_SYSENTER_32+0x15/0x20
    [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc

This is because in pidfd_getfd(), the file->f_count is incremented twice
1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files()
2) f_count is incremented While installing fd in __fd_install_received()
   i.e. get_file().

Memory leak occurs because the refs count do not match, the struct file
object is never freed.

Secondly the error validity check (ret < 0) after the call to
fd_install_received() is not needed since this function cannot return
negative number after incrementing f_count. So it is wrong to call fput
on condition (ret < 0).

Change pidfd_getfd() to call fput() on file reference once its installed
as new_fd in target process.

Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@...il.com>
---
 kernel/pid.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/pid.c b/kernel/pid.c
index 5799ae5..d00139c 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -653,8 +653,8 @@ static int pidfd_getfd(struct pid *pid, int fd)
 		return PTR_ERR(file);
 
 	ret = fd_install_received(file, O_CLOEXEC);
-	if (ret < 0)
-		fput(file);
+
+	fput(file);
 	return ret;
 }
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ