lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1eef96d5.2150.18d554b44ca.Coremail.alexious@zju.edu.cn>
Date: Mon, 29 Jan 2024 20:56:52 +0800 (GMT+08:00)
From: alexious@....edu.cn
To: "Dan Carpenter" <dan.carpenter@...aro.org>
Cc: "Parthiban Veerasooran" <parthiban.veerasooran@...rochip.com>,
	"Christian Gromm" <christian.gromm@...rochip.com>,
	"Dan Carpenter" <error27@...il.com>,
	"Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] most: fix a memleak in audio_probe_channel

> On Tue, Jan 23, 2024 at 01:20:44AM +0800, Zhipeng Lu wrote:
> > When get_channel fails, audio_probe_channel should free adpt like all
> > its following error-handling paths after get_channel. Otherwise there
> > could be a memleak.
> > 
> > Fixes: 15600aea2754 ("staging: most: sound: create one sound card w/ multiple PCM devices per MOST device")
> > Signed-off-by: Zhipeng Lu <alexious@....edu.cn>
> > ---
> >  drivers/most/most_snd.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/most/most_snd.c b/drivers/most/most_snd.c
> > index 45d762804c5e..6cccc9c26796 100644
> > --- a/drivers/most/most_snd.c
> > +++ b/drivers/most/most_snd.c
> > @@ -564,7 +564,8 @@ static int audio_probe_channel(struct most_interface *iface, int channel_id,
> >  	if (get_channel(iface, channel_id)) {
> >  		pr_err("channel (%s:%d) is already linked\n",
> >  		       iface->description, channel_id);
> > -		return -EEXIST;
> > +		ret = -EEXIST;
> > +		goto err_free_adpt;
> 
> No, this doesn't work.  Someone should add a comment here explaining
> why.
> 
> This function is a bit complicated because we sometimes allocate "adpt"
> and sometimes we don't.  Why can we not make it consistently one way or
> the other?  This is not my code and I don't know.  But presumably there
> is a good reason.  I looked up the previous discussion of this and found
> this thread.
> 
> https://lore.kernel.org/all/78cc59b31042f865e947a2c09a5d10cc60ddc01c.camel@microchip.com/
> 
> Anyway, in the end, we're trying to clean up and on the other error
> paths we're allowed to free "adpt" even though we didn't allocate it.
> 
> However once it's got a channel linked then we cannot.  At that stage
> "adpt" is already added to the &iface->p->channel_list list.  The
> release_adapter() adapter function will free it without removing it from
> the list so it leads to a use after free.
> 
> However, memory on this path is not leaked as your commit message says.
> "adpt" is still on the lists.  The stuff is in a messed up state so the
> user will need to tear it all down manually and recreate the
> configuration.  Quoting the email I linked to, "This
> involves the call to mdev_link_destroy_link_store() that cleans up
> everything."
> 
> So we can't apply your patch because it leads to a use after free.  But
> we could apply a patch which adds a comment like:
> 
> 	/*
> 	 * This error path doesn't leak.  If the channel is already set
> 	 * up then something has gone badly wrong.  The user will have
> 	 * to tear everything down and reconfigure from scratch.  The
> 	 * memory will be released via mdev_link_destroy_link_store().
> 	 *
> 	 */
> 

Thank you for your correction and advise. 
We would like to submit a new patch to add such comment.\

Regards,
Zhipeng.


> regards,
> dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ