lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 5 Dec 2022 16:49:59 +0800
From:   Chen Zhongjin <chenzhongjin@...wei.com>
To:     <linux-fbdev@...r.kernel.org>, <dri-devel@...ts.freedesktop.org>,
        <stable@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC:     <chenzhongjin@...wei.com>, <daniel@...ll.ch>, <deller@....de>,
        <sam@...nborg.org>, <tzimmermann@...e.de>,
        <geert+renesas@...der.be>,
        <syzbot+25bdb7b1703639abd498@...kaller.appspotmail.com>
Subject: [PATCH] fbcon: Fix memleak when fbcon_set_font() fails

syzkaller reported a memleak:
https://syzkaller.appspot.com/bug?id=7cc8bce62e201c60e36ef0133dab7f6b8afbc626

BUG: memory leak
unreferenced object 0xffff888111648000 (size 18448):
  backtrace:
    [<ffffffff8250c359>] kmalloc
    [<ffffffff8250c359>] fbcon_set_font+0x1a9/0x470
    [<ffffffff8262cd59>] con_font_set
    [<ffffffff8262cd59>] con_font_op+0x3a9/0x600
    ...

It's because when fbcon_do_set_font() fails in fbcon_set_font(), it
return error directly and doesn't free allocated memory 'new_data'.

Reported-by: syzbot+25bdb7b1703639abd498@...kaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@...r.kernel.org
Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
---
 drivers/video/fbdev/core/fbcon.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index c0143d38df83..edb01d200b5b 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2480,7 +2480,7 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font,
 	int w = font->width;
 	int h = font->height;
 	int size;
-	int i, csum;
+	int i, csum, ret;
 	u8 *new_data, *data = font->data;
 	int pitch = PITCH(font->width);
 
@@ -2539,7 +2539,11 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font,
 			break;
 		}
 	}
-	return fbcon_do_set_font(vc, font->width, font->height, charcount, new_data, 1);
+
+	ret = fbcon_do_set_font(vc, font->width, font->height, charcount, new_data, 1);
+	if (ret && i > last_fb_vc)
+		kfree(new_data - FONT_EXTRA_WORDS * sizeof(int));
+	return ret;
 }
 
 static int fbcon_set_def_font(struct vc_data *vc, struct console_font *font, char *name)
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ