| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 04 Oct 2020 14:48:23 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: anant.thazhemadam@...il.com
Cc: linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+69b804437cfec30deac3@...kaller.appspotmail.com,
jiri@...nulli.us, kuba@...nel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: team: fix memory leak in __team_options_register
From: Anant Thazhemadam <anant.thazhemadam@...il.com>
Date: Mon, 5 Oct 2020 02:25:36 +0530
> The variable "i" isn't initialized back correctly after the first loop
> under the label inst_rollback gets executed.
>
> The value of "i" is assigned to be option_count - 1, and the ensuing
> loop (under alloc_rollback) begins by initializing i--.
> Thus, the value of i when the loop begins execution will now become
> i = option_count - 2.
>
> Thus, when kfree(dst_opts[i]) is called in the second loop in this
> order, (i.e., inst_rollback followed by alloc_rollback),
> dst_optsp[option_count - 2] is the first element freed, and
> dst_opts[option_count - 1] does not get freed, and thus, a memory
> leak is caused.
>
> This memory leak can be fixed, by assigning i = option_count (instead of
> option_count - 1).
>
> Fixes: 80f7c6683fe0 ("team: add support for per-port options")
> Reported-by: syzbot+69b804437cfec30deac3@...kaller.appspotmail.com
> Tested-by: syzbot+69b804437cfec30deac3@...kaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
Applied and queued up for -stable, thank you.
Powered by blists - more mailing lists