lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 17 Jul 2020 14:44:10 +0200
From:   Oleksij Rempel <o.rempel@...gutronix.de>
To:     trix@...hat.com
Cc:     robin@...tonic.nl, linux@...pel-privat.de, kernel@...gutronix.de,
        socketcan@...tkopp.net, mkl@...gutronix.de, davem@...emloft.net,
        kuba@...nel.org, ecathinds@...il.com, lkp@...el.com,
        bst@...gutronix.de, maxime.jayat@...ile-devices.fr,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-can@...r.kernel.org
Subject: Re: [PATCH] can: j1939: fix double free in j1939_netdev_start

Hi Tom,

On Fri, Jul 10, 2020 at 06:45:36AM -0700, trix@...hat.com wrote:
> From: Tom Rix <trix@...hat.com>
> 
> clang static analysis flags this error
> 
> j1939/main.c:292:2: warning: Attempt to free released memory [unix.Malloc]
>         kfree(priv);
>         ^~~~~~~~~~~
> 
> The problem block of code is
> 
> 	ret = j1939_can_rx_register(priv);
> 	if (ret < 0)
> 		goto out_priv_put;
> 
> 	return priv;
> 
>  out_priv_put:
> 	j1939_priv_set(ndev, NULL);
> 	dev_put(ndev);
> 	kfree(priv);
> 
> When j1939_can_rx_register fails, it frees priv via the
> j1939_priv_put release function __j1939_priv_release.

In j1939_can_rx_register()...

| static int j1939_can_rx_register(struct j1939_priv *priv)
| {
| 	struct net_device *ndev = priv->ndev;
| 	int ret;

... the function in entered with ref counter == 1.
(Due to kref_init(&priv->kref); in j1939_priv_create())

|
| 	j1939_priv_get(priv);

... then the ref counter is increased by 1, resulting in 2.

| 	ret = can_rx_register(dev_net(ndev), ndev, J1939_CAN_ID, J1939_CAN_MASK,
| 			      j1939_can_recv, priv, "j1939", NULL);
| 	if (ret < 0) {
| 		j1939_priv_put(priv);

And in case of an error, the ref counter is decreased by one again.

| 		return ret;
| 	}
|
| 	return 0;
| }

So we cannot see why clang thinks the memory is double free()d.

> Since j1939_priv_put is used widely, remove the second
> free from j1939_netdev_start.

We might replace the manual kfree() and dev_put() by the dropping the
last ref count and rely on the automatic cleanup.

> Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
> 
> Signed-off-by: Tom Rix <trix@...hat.com>
> ---
>  net/can/j1939/main.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
> index 137054bff9ec..991a74bc491b 100644
> --- a/net/can/j1939/main.c
> +++ b/net/can/j1939/main.c
> @@ -289,7 +289,6 @@ struct j1939_priv *j1939_netdev_start(struct net_device *ndev)
>   out_priv_put:
>  	j1939_priv_set(ndev, NULL);
>  	dev_put(ndev);
> -	kfree(priv);
>  
>  	return ERR_PTR(ret);
>  }

regards,
Oleksij & Marc

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ