lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 29 Apr 2021 12:45:01 +0100
From:   Pavel Begunkov <asml.silence@...il.com>
To:     Colin King <colin.king@...onical.com>,
        Jens Axboe <axboe@...nel.dk>, io-uring@...r.kernel.org
Cc:     kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH][next][V2] io_uring: Fix premature return from loop and
 memory leak

On 4/29/21 11:46 AM, Colin King wrote:
> From: Colin Ian King <colin.king@...onical.com>
> 
> Currently the -EINVAL error return path is leaking memory allocated
> to data. Fix this by not returning immediately but instead setting
> the error return variable to -EINVAL and breaking out of the loop.
> 
> Kudos to Pavel Begunkov for suggesting a correct fix.

Looks good, thanks
Reviewed-by: Pavel Begunkov <asml.silence@...il.com>

> 
> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> ---
> 
> V2: set ret/err to -EINVAL and break rather than kfree and return,
>     fix both occurrences of this issue.
> 
> ---
>  fs/io_uring.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 47c2f126f885..c783ad83f220 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -8417,8 +8417,10 @@ static int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg,
>  		ret = io_buffer_validate(&iov);
>  		if (ret)
>  			break;
> -		if (!iov.iov_base && tag)
> -			return -EINVAL;
> +		if (!iov.iov_base && tag) {
> +			ret = -EINVAL;
> +			break;
> +		}
>  
>  		ret = io_sqe_buffer_register(ctx, &iov, &ctx->user_bufs[i],
>  					     &last_hpage);
> @@ -8468,8 +8470,10 @@ static int __io_sqe_buffers_update(struct io_ring_ctx *ctx,
>  		err = io_buffer_validate(&iov);
>  		if (err)
>  			break;
> -		if (!iov.iov_base && tag)
> -			return -EINVAL;
> +		if (!iov.iov_base && tag) {
> +			err = -EINVAL;
> +			break;
> +		}
>  		err = io_sqe_buffer_register(ctx, &iov, &imu, &last_hpage);
>  		if (err)
>  			break;
> 

-- 
Pavel Begunkov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ