lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ZYxEg3g8NIwcDZWM@tissot.1015granger.net>
Date: Wed, 27 Dec 2023 10:36:35 -0500
From: Chuck Lever <chuck.lever@...cle.com>
To: alexious@....edu.cn
Cc: Trond Myklebust <trond.myklebust@...merspace.com>,
        Anna Schumaker <anna@...nel.org>, Jeff Layton <jlayton@...nel.org>,
        Neil Brown <neilb@...e.de>, Olga Kornievskaia <kolga@...app.com>,
        Dai Ngo <Dai.Ngo@...cle.com>, Tom Talpey <tom@...pey.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, Simo Sorce <simo@...hat.com>,
        Steve Dickson <steved@...hat.com>, Kevin Coffman <kwc@...i.umich.edu>,
        linux-nfs@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] SUNRPC: fix a memleak in gss_import_v2_context

On Tue, Dec 26, 2023 at 05:01:05PM +0800, alexious@....edu.cn wrote:
> > On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote:
> > > The ctx->mech_used.data allocated by kmemdup is not freed in neither
> > > gss_import_v2_context nor it only caller radeon_driver_open_kms.
> > > Thus, this patch reform the last call of gss_import_v2_context to the
> > > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
> > > formation.
> > > 
> > > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
> > > Signed-off-by: Zhipeng Lu <alexious@....edu.cn>
> > > ---
> > >  net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
> > >  1 file changed, 8 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > > index e31cfdf7eadc..1e54bd63e3f0 100644
> > > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> > > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> > >  	u64 seq_send64;
> > >  	int keylen;
> > >  	u32 time32;
> > > +	int ret;
> > >  
> > >  	p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
> > >  	if (IS_ERR(p))
> > > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> > >  	}
> > >  	ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
> > >  
> > > -	return gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > > +	ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > > +	if (ret) {
> > > +		p = ERR_PTR(ret);
> > > +		goto out_free;
> > > +	};
> > >  
> > > +out_free:
> > > +	kfree(ctx->mech_used.data);
> > 
> > If the caller's error flow does not invoke
> > gss_krb5_delete_sec_context(), then I would expect more than just
> > mech_used.data would be leaked. What if, instead, you changed
> > gss_krb5_import_sec_context() like this (untested):
> > 
> > 471         ret = gss_import_v2_context(p, end, ctx, gfp_mask);
> > 472         memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
> > 473         if (ret) {      
> >    -                kfree(ctx);                      
> >    +                gss_krb5_delete_sec_context(ctx);
> > 475                 return ret;
> > 476         }    
> > 
> > Obviously you would need to add a forward declaration of
> > gss_krb5_import_sec_context() to make this compile. The question
> > is whether gss_krb5_delete_sec_context() will deal with a partially-
> > initialized @ctx.
> 
> Since the ctx is allocated just in gss_krb5_import_sec_context, 
> together with that all of gss_krb5_import_sec_context, gss_import_v2_context(with this patch)
> and gss_krb5_import_ctx_v2 are allocation-free balanced. It seems that we don't need to 
> release anything else by invoking gss_krb5_delete_sec_context.
> 
> If I miss something leaked, please let me know.

I see, if gss_krb5_import_ctx_v2() fails, it releases the ciphers
and hashes via out_free. So no leak there.

A nicer approach would be to handle that clean up in
gss_krb5_import_sec_context(): less code duplication.

But you're right, it's not broken today.


> > How did you find this leak, and what kind of testing was done to
> > confirm the fix is safe?
> 
> I found this memleak by static analysis. 
> The safety issue can't be solved by automatic tools as far as I know.
> So I check patches manuelly before sending patches.

Can you give some details about how you check the patches?


-- 
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ