| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202007060834.5D4F78BF8A@keescook> Date: Mon, 6 Jul 2020 08:38:10 -0700 From: Kees Cook <keescook@...omium.org> To: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@...il.com> Cc: christian@...uner.io, linux-kernel@...r.kernel.org Subject: Re: [PATCH] pidfd: fix memory leak in pidfd_getfd() Note: please review recent commit history for bug fixes like this -- I introduced this bug. :) On Mon, Jul 06, 2020 at 06:22:55PM +0530, Vamshi K Sthambamkadi wrote: > kmemleak backtrace: > > comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2 ..............o. > b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00 ................ > backtrace: > [<8da987ad>] kmem_cache_alloc+0x199/0x4c0 > [<8ff6a575>] __alloc_file+0x1e/0xe0 > [<e1479798>] alloc_empty_file+0x45/0x100 > [<727fe6eb>] alloc_file+0x23/0xf0 > [<457148ef>] alloc_file_pseudo+0x98/0x100 > [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120 > [<5edc3e9b>] shmem_file_setup+0x4c/0x70 > [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0 > [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260 > [<62569441>] do_fast_syscall_32+0x39/0xb0 > [<3c515b7e>] do_SYSENTER_32+0x15/0x20 > [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc > > comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s) > hex dump (first 16 bytes): > 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<8da987ad>] kmem_cache_alloc+0x199/0x4c0 > [<b67faec5>] security_file_alloc+0x20/0x90 > [<ed849d41>] __alloc_file+0x40/0xe0 > [<e1479798>] alloc_empty_file+0x45/0x100 > [<727fe6eb>] alloc_file+0x23/0xf0 > [<457148ef>] alloc_file_pseudo+0x98/0x100 > [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120 > [<5edc3e9b>] shmem_file_setup+0x4c/0x70 > [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0 > [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260 > [<62569441>] do_fast_syscall_32+0x39/0xb0 > [<3c515b7e>] do_SYSENTER_32+0x15/0x20 > [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc > > This is because in pidfd_getfd(), the file->f_count is incremented twice > 1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files() > 2) f_count is incremented While installing fd in __fd_install_received() > i.e. get_file(). > > Memory leak occurs because the refs count do not match, the struct file > object is never freed. > > Secondly the error validity check (ret < 0) after the call to > fd_install_received() is not needed since this function cannot return > negative number after incrementing f_count. So it is wrong to call fput > on condition (ret < 0). > > Change pidfd_getfd() to call fput() on file reference once its installed > as new_fd in target process. > > Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@...il.com> Thanks! I'll get this fixed. -Kees > --- > kernel/pid.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/kernel/pid.c b/kernel/pid.c > index 5799ae5..d00139c 100644 > --- a/kernel/pid.c > +++ b/kernel/pid.c > @@ -653,8 +653,8 @@ static int pidfd_getfd(struct pid *pid, int fd) > return PTR_ERR(file); > > ret = fd_install_received(file, O_CLOEXEC); > - if (ret < 0) > - fput(file); > + > + fput(file); > return ret; > } > > -- > 2.7.4 > -- Kees Cook
Powered by blists - more mailing lists