lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20210605202051.14783-1-paskripkin@gmail.com>
Date:   Sat,  5 Jun 2021 23:20:51 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     dledford@...hat.com, jgg@...pe.ca, leon@...nel.org,
        shayd@...dia.com
Cc:     linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org,
        Pavel Skripkin <paskripkin@...il.com>, stable@...r.kernel.org
Subject: [PATCH] infiniband: core: fix memory leak

My local syzbot instance hit memory leak in
copy_process(). The problem was in unputted task
struct in _destroy_id().

Simple reproducer:

int main(void)
{
        struct rdma_ucm_cmd_hdr *hdr;
        struct rdma_ucm_create_id *cmd_id;
        char cmd[sizeof(*hdr) + sizeof(*cmd_id)] = {0};
        int fd;

        hdr = (struct rdma_ucm_cmd_hdr *)cmd;
        cmd_id = (struct rdma_ucm_create_id *) (cmd + sizeof(*hdr));

        hdr->cmd = 0;
        hdr->in = 0x18;
        hdr->out = 0xfa00;

        cmd_id->uid = 0x3;
        cmd_id->response = 0x0;
        cmd_id->ps = 0x106;

        fd = open("/dev/infiniband/rdma_cm", O_WRONLY);
        write(fd, cmd, sizeof(cmd));
}

Ftrace log:

ucma_open();
ucma_write() {
  ucma_create_id() {
    ucma_alloc_ctx();
    rdma_create_user_id() {
      rdma_restrack_new();
      rdma_restrack_set_name() {
        rdma_restrack_attach_task.part.0(); <--- task_struct getted
      }
    }
    ucma_destroy_private_ctx() {
      ucma_put_ctx();
      rdma_destroy_id() {
        _destroy_id()			    <--- id_priv freed
      }
    }
  }
}
ucma_close();

>From previous log it's easy to undertand that
_destroy_id() is the last place, where task_struct
can be putted, because at the end of this function
id_priv is freed.

With this patch applied, above reproducer doesn't hit memory
leak anymore.

Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager")
Cc: <stable@...r.kernel.org>
Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
---
 drivers/infiniband/core/cma.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index ab148a696c0c..2760352261b3 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -1874,6 +1874,7 @@ static void _destroy_id(struct rdma_id_private *id_priv,
 
 	kfree(id_priv->id.route.path_rec);
 
+	rdma_restrack_put(&id_priv->res);
 	put_net(id_priv->id.route.addr.dev_addr.net);
 	kfree(id_priv);
 }
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ