lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20230718-ubifs-replay-auth-leak-v1-1-2dd2e00e6dc6@axis.com>
Date:   Tue, 18 Jul 2023 14:41:45 +0200
From:   Vincent Whitchurch <vincent.whitchurch@...s.com>
To:     Richard Weinberger <richard@....at>
CC:     Sascha Hauer <s.hauer@...gutronix.de>,
        <linux-mtd@...ts.infradead.org>, <linux-kernel@...r.kernel.org>,
        <kernel@...s.com>, Vincent Whitchurch <vincent.whitchurch@...s.com>
Subject: [PATCH] ubifs: Fix memory leak of bud->log_hash

Ensure that the allocated bud->log_hash (if any) is freed in all cases
when the bud itself is freed, to fix this leak caught by kmemleak:

 # keyctl add logon foo:bar data @s
 # echo clear > /sys/kernel/debug/kmemleak
 # mount -t ubifs /dev/ubi0_0 mnt -o auth_hash_name=sha256,auth_key=foo:bar
 # echo a > mnt/x
 # umount mnt
 # mount -t ubifs /dev/ubi0_0 mnt -o auth_hash_name=sha256,auth_key=foo:bar
 # umount mnt
 # sleep 5
 # echo scan > /sys/kernel/debug/kmemleak
 # echo scan > /sys/kernel/debug/kmemleak
 # cat /sys/kernel/debug/kmemleak
 unreferenced object 0xff... (size 128):
   comm "mount"
   backtrace:
     __kmalloc
     __ubifs_hash_get_desc+0x5d/0xe0 ubifs
     ubifs_replay_journal
     ubifs_mount
     ...

Fixes: da8ef65f9573 ("ubifs: Authenticate replayed journal")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@...s.com>
---
 fs/ubifs/super.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index 32cb14759796..0ef8c1f3d760 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -923,8 +923,10 @@ static void free_buds(struct ubifs_info *c)
 {
 	struct ubifs_bud *bud, *n;
 
-	rbtree_postorder_for_each_entry_safe(bud, n, &c->buds, rb)
+	rbtree_postorder_for_each_entry_safe(bud, n, &c->buds, rb) {
+		kfree(bud->log_hash);
 		kfree(bud);
+	}
 }
 
 /**
@@ -1193,6 +1195,7 @@ static void destroy_journal(struct ubifs_info *c)
 
 		bud = list_entry(c->old_buds.next, struct ubifs_bud, list);
 		list_del(&bud->list);
+		kfree(bud->log_hash);
 		kfree(bud);
 	}
 	ubifs_destroy_idx_gc(c);

---
base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c
change-id: 20230718-ubifs-replay-auth-leak-9b395b83196f

Best regards,
-- 
Vincent Whitchurch <vincent.whitchurch@...s.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ