lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 10 Aug 2021 20:56:30 +0200
From:   Jann Horn <jannh@...gle.com>
To:     QiuXi <qiuxi1@...wei.com>
Cc:     viro@...iv.linux.org.uk, akpm@...ux-foundation.org,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        gregkh@...uxfoundation.org, xiekunxun@...wei.com,
        young.liuyang@...wei.com
Subject: Re: [PATCH 1/1] coredump: fix memleak in dump_vma_snapshot()

On Tue, Aug 10, 2021 at 4:04 AM QiuXi <qiuxi1@...wei.com> wrote:
> dump_vma_snapshot() allocs memory for *vma_meta, when dump_vma_snapshot()
> returns -EFAULT, the memory will be leaked, so we free it correctly.

The change itself looks reasonable to me.

> Fixes: a07279c9a8cd7 ("binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot")
> Cc: stable@...r.kernel.org # v5.10

But I think this shouldn't be "Cc: stable". The patch only removes a
memory leak in a WARN_ON() path, and that WARN_ON() path can only be
taken if there is a kernel bug; if we reach this branch, there's a
good chance that kernel memory corruption has already occurred.


> Signed-off-by: QiuXi <qiuxi1@...wei.com>
> ---
>  fs/coredump.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/coredump.c b/fs/coredump.c
> index 07afb5ddb1c4..19fe5312c10f 100644
> --- a/fs/coredump.c
> +++ b/fs/coredump.c
> @@ -1127,8 +1127,10 @@ int dump_vma_snapshot(struct coredump_params *cprm, int *vma_count,
>
>         mmap_write_unlock(mm);
>
> -       if (WARN_ON(i != *vma_count))
> +       if (WARN_ON(i != *vma_count)) {
> +               kvfree(*vma_meta);
>                 return -EFAULT;
> +       }
>
>         *vma_data_size_ptr = vma_data_size;
>         return 0;
> --
> 2.12.3
>

Powered by blists - more mailing lists