lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230406015315.31505-2-mirsad.todorovac@alu.unizg.hr>
Date:   Thu,  6 Apr 2023 03:53:19 +0200
From:   Mirsad Goran Todorovac <mirsad.todorovac@....unizg.hr>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Russ Weight <russell.h.weight@...el.com>,
        linux-kernel@...r.kernel.org
Cc:     Mirsad Goran Todorovac <mirsad.todorovac@....unizg.hr>,
        Luis Chamberlain <mcgrof@...nel.org>,
        Tianfei zhang <tianfei.zhang@...el.com>,
        Christophe JAILLET <christophe.jaillet@...adoo.fr>,
        Zhengchao Shao <shaozhengchao@...wei.com>,
        Colin Ian King <colin.i.king@...il.com>,
        Dan Carpenter <error27@...il.com>, Takashi Iwai <tiwai@...e.de>
Subject: [PATCH v3 2/2] test_firmware: fix memory leak in trigger_batched_requests_store()

trigger_batched_requests_store() and trigger_batched_requests_async_store()
both caused test_fw_config->reqs ptr to be overwritten with the new call to
either function and the vzalloc() call, leaving the old memory object
unreferenced.

Semantically the most simple and prudent solution seemed to be returning the
-EBUSY errno in this case, rather than permitting a kernel memory leak.

However, this did fix closed only these obvious leaks, not all that are
present in the test firmware loader.

Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Luis Chamberlain <mcgrof@...nel.org>
Cc: Russ Weight <russell.h.weight@...el.com>
Cc: Tianfei zhang <tianfei.zhang@...el.com>
Cc: Mirsad Goran Todorovac <mirsad.todorovac@....unizg.hr>
Cc: Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc: Zhengchao Shao <shaozhengchao@...wei.com>
Cc: Colin Ian King <colin.i.king@...il.com>
Cc: linux-kernel@...r.kernel.org
Suggested-by: Dan Carpenter <error27@...il.com>
Suggested-by: Takashi Iwai <tiwai@...e.de>
Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@....unizg.hr>
---
 lib/test_firmware.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/test_firmware.c b/lib/test_firmware.c
index 272af8dc54b0..b81f5621626e 100644
--- a/lib/test_firmware.c
+++ b/lib/test_firmware.c
@@ -919,6 +919,11 @@ static ssize_t trigger_batched_requests_store(struct device *dev,
 
 	mutex_lock(&test_fw_mutex);
 
+	if (test_fw_config->reqs) {
+		rc = -EBUSY;
+		goto out_bail;
+	}
+
 	test_fw_config->reqs =
 		vzalloc(array3_size(sizeof(struct test_batched_req),
 				    test_fw_config->num_requests, 2));
@@ -1017,6 +1022,11 @@ ssize_t trigger_batched_requests_async_store(struct device *dev,
 
 	mutex_lock(&test_fw_mutex);
 
+	if (test_fw_config->reqs) {
+		rc = -EBUSY;
+		goto out_bail;
+	}
+
 	test_fw_config->reqs =
 		vzalloc(array3_size(sizeof(struct test_batched_req),
 				    test_fw_config->num_requests, 2));
-- 
2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ