| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231209111857.19393-1-pchelkin@ispras.ru>
Date: Sat, 9 Dec 2023 14:18:56 +0300
From: Fedor Pchelkin <pchelkin@...ras.ru>
To: Don Brace <don.brace@...rochip.com>
Cc: Fedor Pchelkin <pchelkin@...ras.ru>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Alex Chiang <achiang@...com>,
Mike Miller <mikem@...rdog.cce.hp.com>,
"Stephen M. Cameron" <scameron@...rdog.cce.hp.com>,
storagedev@...rochip.com, linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>,
lvc-project@...uxtesting.org
Subject: [PATCH] scsi: hpsa: prevent memory leak in hpsa_big_passthru_ioctl
In case copy_from_user() fails during the buffers allocating loop inside
hpsa_big_passthru_ioctl(), the last allocated buffer (accessed by sg_used
index) is not freed on cleanup1 error path as sg_used index has not been
incremented yet.
Free the last allocated buffer directly if copy_from_user() fails.
Found by Linux Verification Center (linuxtesting.org).
Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
---
drivers/scsi/hpsa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index af18d20f3079..897f9ee3c004 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -6536,6 +6536,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h,
if (ioc->Request.Type.Direction & XFER_WRITE) {
if (copy_from_user(buff[sg_used], data_ptr, sz)) {
status = -EFAULT;
+ kfree(buff[sg_used]);
goto cleanup1;
}
} else
--
2.43.0
Powered by blists - more mailing lists