lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210831084735.GL12231@kadam>
Date:   Tue, 31 Aug 2021 11:47:35 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     "F.A.Sulaiman" <asha.16@...ac.mrt.ac.lk>
Cc:     gregkh@...uxfoundation.org, devel@...verdev.osuosl.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] staging: rtl8723bs: fix memory leak error

On Tue, Aug 31, 2021 at 01:03:55AM +0530, F.A.Sulaiman wrote:
> Smatch reported memory leak bug in rtl8723b_FirmwareDownload function. 
> The problem is pFirmware memory is not released in release_fw1. 
> Instead of redirecting to release_fw1 we can turn it into exit 
> and free the memory.
> 
> Signed-off-by: F.A. SULAIMAN <asha.16@...ac.mrt.ac.lk>
> ---
>  drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
> index de8caa6cd418..b59c2aa3a9d8 100644
> --- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
> +++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
> @@ -436,7 +436,7 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool  bUsedWoWLANFw)
>  	if (pFirmware->fw_length > FW_8723B_SIZE) {
>  		rtStatus = _FAIL;
>  		DBG_871X_LEVEL(_drv_emerg_, "Firmware size:%u exceed %u\n", pFirmware->fw_length, FW_8723B_SIZE);
> -		goto release_fw1;
> +		goto exit;
>  	}

The current tree doesn't have DBG_871X_LEVEL() so you must be working
against something old.  You need to work against linux-next or staging
next.

Your patch fixes a bug, but it would be better to just re-write the
error handling for this function.  There is another bug that a bunch
of error paths don't call release_firmware(fw).  Use the "Free the Last
Thing" method.

	pFirmware = kzalloc(sizeof(struct rt_firmware), GFP_KERNEL);
	if (!pFirmware)
		return _FAIL;

The last thing we allocated is "pFirmware" so free that if we have an
error.

	pBTFirmware = kzalloc(sizeof(struct rt_firmware), GFP_KERNEL);
	if (!pBTFirmware) {
		rtStatus = _FAIL;
		goto free_firmware;
	}

Now the last thing is pBTFirmware.

	rtStatus = request_firmware(&fw, fwfilepath, device);
	if (rtStatus) {
		rtStatus = _FAIL;
		goto free_bt_firmware;
	}

Now the last thing is "fw".  But this is a bit tricky because we're
going to release it as soon as possible and not wait until the end of
the function.  There isn't a reason for this...  We can change that or
keep it as-is.  If we keep it as is, then the we'll just call
release_firmware(fw); before the goto free_bt_firmware;  The current
code leaks fw on a bunch of error paths.

	pFirmware->fw_buffer_sz = kmemdup(fw->data, fw->size, GFP_KERNEL);
	if (!pFirmware->fw_buffer_sz) {
		rtStatus = _FAIL;
		release_firmware(fw);
		goto free_bt_firmware;
	}

Or:

	pFirmware->fw_buffer_sz = kmemdup(fw->data, fw->size, GFP_KERNEL);
	if (!pFirmware->fw_buffer_sz) {
		rtStatus = _FAIL;
		goto release_fw;
	}

Now the last thing is pFirmware->fw_buffer_sz.  Etc.

Then at the end it's just:

free_fw_buffer:
        kfree(pFirmware->fw_buffer_sz);
release_fw:
	release_firmware(fw);
free_bt_firmware:
	kfree(pBTFirmware);
free_firmware:
        kfree(pFirmware);

        return rtStatus;
}

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ