lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sun,  9 Aug 2020 17:14:52 -0500
From:   James Bond <jameslouisebond@...il.com>
To:     jameslouisebond@...il.com
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jiri Slaby <jirislaby@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Kees Cook <keescook@...omium.org>,
        Michel Lespinasse <walken@...gle.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Denis Efremov <efremov@...ux.com>, linux-kernel@...r.kernel.org
Subject: [PATCH] tty/vt: fix a memory leak in con_insert_unipair

Syzkaller find a memory leak in con_insert_unipair:
    BUG: memory leak
    unreferenced object 0xffff88804893d100 (size 256):
    comm "syz-executor.3", pid 16154, jiffies 4295043307 (age 2392.340s)
    hex dump (first 32 bytes):
    80 af 88 4e 80 88 ff ff 00 a8 88 4e 80 88 ff ff  ...N.......N....
    80 ad 88 4e 80 88 ff ff 00 aa 88 4e 80 88 ff ff  ...N.......N....
    backtrace:
    [<00000000f76ff1de>] kmalloc include/linux/slab.h:555 [inline]
    [<00000000f76ff1de>] kmalloc_array include/linux/slab.h:596 [inline]
    [<00000000f76ff1de>] con_insert_unipair+0x9e/0x1a0 drivers/tty/vt/consolemap.c:482
    [<000000002f1ad7da>] con_set_unimap+0x244/0x2a0 drivers/tty/vt/consolemap.c:595
    [<0000000046ccb106>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:297 [inline]
    [<0000000046ccb106>] vt_ioctl+0x863/0x12f0 drivers/tty/vt/vt_ioctl.c:1018
    [<00000000db1577ff>] tty_ioctl+0x4cd/0xa30 drivers/tty/tty_io.c:2656
    [<00000000e5cdf5ed>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<00000000e5cdf5ed>] ksys_ioctl+0xa6/0xd0 fs/ioctl.c:753
    [<00000000fb4aa12c>] __do_sys_ioctl fs/ioctl.c:762 [inline]
    [<00000000fb4aa12c>] __se_sys_ioctl fs/ioctl.c:760 [inline]
    [<00000000fb4aa12c>] __x64_sys_ioctl+0x1a/0x20 fs/ioctl.c:760
    [<00000000f561f260>] do_syscall_64+0x4c/0xe0 arch/x86/entry/common.c:384
    [<0000000056206928>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    BUG: leak checking failed

To fix this issue, we need to release the pointer p1 when the call of
the function kmalloc_array fail.

Signed-off-by: James Bond <jameslouisebond@...il.com>
---
 drivers/tty/vt/consolemap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
index 5947b54d92be..1e8d06c32ca1 100644
--- a/drivers/tty/vt/consolemap.c
+++ b/drivers/tty/vt/consolemap.c
@@ -489,7 +489,10 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
 	p2 = p1[n = (unicode >> 6) & 0x1f];
 	if (!p2) {
 		p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL);
-		if (!p2) return -ENOMEM;
+		if (!p2) {
+			kfree(p1);
+			return -ENOMEM;
+		}
 		memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */
 	}
 
-- 
2.17.1

Powered by blists - more mailing lists