lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2179817.iZASKD2KPV@leap>
Date:   Tue, 29 Mar 2022 08:18:16 +0200
From:   "Fabio M. De Francesco" <fmdefrancesco@...il.com>
To:     Dan Carpenter <dan.carpenter@...cle.com>
Cc:     axboe@...nel.dk, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        linux-scsi@...r.kernel.org,
        syzbot+f08c77040fa163a75a46@...kaller.appspotmail.com
Subject: Re: [PATCH] scsi: sd: Jump to out_free_index if device_add{,_disk}() fail

On luned? 28 marzo 2022 16:38:53 CEST Dan Carpenter wrote:
> On Mon, Mar 28, 2022 at 10:44:52AM +0200, Fabio M. De Francesco wrote:
> > Currently, if device_add() or device_add_disk() fail, the code jumps to
> > the "out" label. Doing so we get a memory leak as Syzbot reports.[1]
> > 
> > Fix this bug by jumping to the "out_free_index" label.
> > 
> > [1] https://groups.google.com/g/syzkaller-bugs/c/BvuqG6YGb6I
> > 
> > Reported-and-tested-by: syzbot+f08c77040fa163a75a46@...kaller.appspotmail.com
> > Fixes: 2a7a891f4c40 ("scsi: sd: Add error handling support for add_disk()")
> > Fixes: 265dfe8ebbab ("scsi: sd: Free scsi_disk device via put_device()")
> > Signed-off-by: Fabio M. De Francesco <fmdefrancesco@...il.com>
> > ---
> >  drivers/scsi/sd.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
> > index a390679cf458..61fcf653ef5a 100644
> > --- a/drivers/scsi/sd.c
> > +++ b/drivers/scsi/sd.c
> > @@ -3434,7 +3434,7 @@ static int sd_probe(struct device *dev)
> >  	error = device_add(&sdkp->disk_dev);
> >  	if (error) {
> >  		put_device(&sdkp->disk_dev);
> > -		goto out;
> > +		goto out_free_index;
> 
> The put_device calls scsi_disk_release() so this change will introduce
> use after frees and double frees.

Yes, correct. I've just looked at how put_device() is implemented. I didn't 
know how it works until you made me notice. Thanks!

Aside this I sent another diff to Syzbot. Today, at 4.30 CET, it replied again
that, after applying and testing my new patch, Syzkaller was not anymore able 
to trigger the memory leak that it had reported.

This is the new diff...

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index a390679cf458..6fac62f00b37 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3433,6 +3433,7 @@ static int sd_probe(struct device *dev)
 
        error = device_add(&sdkp->disk_dev);
        if (error) {
+               ida_free(&sd_index_ida, index);
                put_device(&sdkp->disk_dev);
                goto out;
        }
@@ -3474,6 +3475,7 @@ static int sd_probe(struct device *dev)
 
        error = device_add_disk(dev, gd, NULL);
        if (error) {
+               ida_free(&sd_index_ida, index);
                put_device(&sdkp->disk_dev);
                goto out;
        }

As it can be seen, I tried to simply free the IDA and jump to the "out"
label (exactly as it is in the current code).

The test passed today at 04.30 CET but, can it really be that not freeing 
the allocation of the IDA could trigger that memory leak? I'm not so sure, 
therefore, I'll wait for comments before submitting any v2.

> There is a larger process issue here.  We need to figure out why syzbot
> did not detect that this patch introduces bugs.

This is something that the people who run Syzbot/Syzkaller should help to
figure out.

Regards,

Fabio M. De Francesco

> regards,
> dan carpenter



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ