| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAD-N9QWU_tcnHMtP3iWcQogSWwDET4nhK5AQKDbh2KJQzwfF9A@mail.gmail.com>
Date: Fri, 12 Aug 2022 21:56:46 +0800
From: Dongliang Mu <mudongliangabcd@...il.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Dongliang Mu <dzm91@...t.edu.cn>,
Arve Hjønnevåg <arve@...roid.com>,
Todd Kjos <tkjos@...roid.com>,
Martijn Coenen <maco@...roid.com>,
Joel Fernandes <joel@...lfernandes.org>,
Christian Brauner <brauner@...nel.org>,
Carlos Llamas <cmllamas@...gle.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Kees Cook <keescook@...omium.org>,
syzkaller <syzkaller@...glegroups.com>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super
On Fri, Aug 12, 2022 at 9:41 PM Greg Kroah-Hartman
<gregkh@...uxfoundation.org> wrote:
>
> On Fri, Aug 12, 2022 at 09:21:24PM +0800, Dongliang Mu wrote:
> > From: Dongliang Mu <mudongliangabcd@...il.com>
> >
> > In binderfs_fill_super, if s_root is not successfully initialized by
> > d_make_root, the previous allocated s_sb_info will not be freed since
> > generic_shutdown_super first checks if sb->s_root and then does
> > put_super operation. The put_super operation calls binderfs_put_super
> > to deallocate s_sb_info and put ipc_ns. This will lead to memory leak
> > in binderfs_fill_super.
> >
> > Fix this by invoking binderfs_put_super at error sites before s_root
> > is successfully initialized.
> >
> > Fixes: 095cf502b31e ("binderfs: port to new mount api")
> > Reported-by: syzkaller <syzkaller@...glegroups.com>
>
> Where is the specific syzkaller link for this report? It would be good
> to reference it so it can be properly checked.
>
> Also, how did you test this change?
I found this memory leak in my local syzkaller, and there is no any
syzbot report about this crash, therefore I use such a Reported-by to
indicate.
Although my local syzkaller does generate any reproducer, this bug can
be triggered by injecting faults at new_inode and d_make_root (i.e.,
between s_sb_info allocation and code after d_make_root).
>
> > Signed-off-by: Dongliang Mu <mudongliangabcd@...il.com>
> > ---
> > drivers/android/binderfs.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
> > index 588d753a7a19..20f5bc77495f 100644
> > --- a/drivers/android/binderfs.c
> > +++ b/drivers/android/binderfs.c
> > @@ -710,8 +710,10 @@ static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc)
> > info->mount_opts.stats_mode = ctx->stats_mode;
> >
> > inode = new_inode(sb);
> > - if (!inode)
> > + if (!inode) {
> > + binderfs_put_super(sb);
> > return -ENOMEM;
> > + }
> >
> > inode->i_ino = FIRST_INODE;
> > inode->i_fop = &simple_dir_operations;
> > @@ -721,8 +723,10 @@ static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc)
> > set_nlink(inode, 2);
> >
> > sb->s_root = d_make_root(inode);
> > - if (!sb->s_root)
> > + if (!sb->s_root) {
> > + binderfs_put_super(sb);
> > return -ENOMEM;
> > + }
>
> How did you test this change to verify that you are not now just leaking
> memory? It looks to me like you just changed one problem for another
> one :(
As mentioned above, I just tested my change by injecting faults at
new_inode and d_make_root.
Can you explain more about "changed one problem for another one"? I
don't quite understand this statement.
>
> Please always be very very careful when making these types of changes,
> and verify and test that they are correct.
>
> thanks,
>
> greg k-h
Powered by blists - more mailing lists