lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4e065b3a-240e-4cd9-acd8-53e5a56abed0@moroto.mountain>
Date: Tue, 23 Jan 2024 09:04:26 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Zhipeng Lu <alexious@....edu.cn>
Cc: Parthiban Veerasooran <parthiban.veerasooran@...rochip.com>,
	Christian Gromm <christian.gromm@...rochip.com>,
	Dan Carpenter <error27@...il.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] most: fix a memleak in audio_probe_channel

On Tue, Jan 23, 2024 at 01:20:44AM +0800, Zhipeng Lu wrote:
> When get_channel fails, audio_probe_channel should free adpt like all
> its following error-handling paths after get_channel. Otherwise there
> could be a memleak.
> 
> Fixes: 15600aea2754 ("staging: most: sound: create one sound card w/ multiple PCM devices per MOST device")
> Signed-off-by: Zhipeng Lu <alexious@....edu.cn>
> ---
>  drivers/most/most_snd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/most/most_snd.c b/drivers/most/most_snd.c
> index 45d762804c5e..6cccc9c26796 100644
> --- a/drivers/most/most_snd.c
> +++ b/drivers/most/most_snd.c
> @@ -564,7 +564,8 @@ static int audio_probe_channel(struct most_interface *iface, int channel_id,
>  	if (get_channel(iface, channel_id)) {
>  		pr_err("channel (%s:%d) is already linked\n",
>  		       iface->description, channel_id);
> -		return -EEXIST;
> +		ret = -EEXIST;
> +		goto err_free_adpt;

No, this doesn't work.  Someone should add a comment here explaining
why.

This function is a bit complicated because we sometimes allocate "adpt"
and sometimes we don't.  Why can we not make it consistently one way or
the other?  This is not my code and I don't know.  But presumably there
is a good reason.  I looked up the previous discussion of this and found
this thread.

https://lore.kernel.org/all/78cc59b31042f865e947a2c09a5d10cc60ddc01c.camel@microchip.com/

Anyway, in the end, we're trying to clean up and on the other error
paths we're allowed to free "adpt" even though we didn't allocate it.

However once it's got a channel linked then we cannot.  At that stage
"adpt" is already added to the &iface->p->channel_list list.  The
release_adapter() adapter function will free it without removing it from
the list so it leads to a use after free.

However, memory on this path is not leaked as your commit message says.
"adpt" is still on the lists.  The stuff is in a messed up state so the
user will need to tear it all down manually and recreate the
configuration.  Quoting the email I linked to, "This
involves the call to mdev_link_destroy_link_store() that cleans up
everything."

So we can't apply your patch because it leads to a use after free.  But
we could apply a patch which adds a comment like:

	/*
	 * This error path doesn't leak.  If the channel is already set
	 * up then something has gone badly wrong.  The user will have
	 * to tear everything down and reconfigure from scratch.  The
	 * memory will be released via mdev_link_destroy_link_store().
	 *
	 */

regards,
dan carpenter


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ