| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jan 2024 20:56:52 +0800 (GMT+08:00)
From: alexious@....edu.cn
To: "Dan Carpenter" <dan.carpenter@...aro.org>
Cc: "Parthiban Veerasooran" <parthiban.veerasooran@...rochip.com>,
"Christian Gromm" <christian.gromm@...rochip.com>,
"Dan Carpenter" <error27@...il.com>,
"Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] most: fix a memleak in audio_probe_channel
> On Tue, Jan 23, 2024 at 01:20:44AM +0800, Zhipeng Lu wrote:
> > When get_channel fails, audio_probe_channel should free adpt like all
> > its following error-handling paths after get_channel. Otherwise there
> > could be a memleak.
> >
> > Fixes: 15600aea2754 ("staging: most: sound: create one sound card w/ multiple PCM devices per MOST device")
> > Signed-off-by: Zhipeng Lu <alexious@....edu.cn>
> > ---
> > drivers/most/most_snd.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/most/most_snd.c b/drivers/most/most_snd.c
> > index 45d762804c5e..6cccc9c26796 100644
> > --- a/drivers/most/most_snd.c
> > +++ b/drivers/most/most_snd.c
> > @@ -564,7 +564,8 @@ static int audio_probe_channel(struct most_interface *iface, int channel_id,
> > if (get_channel(iface, channel_id)) {
> > pr_err("channel (%s:%d) is already linked\n",
> > iface->description, channel_id);
> > - return -EEXIST;
> > + ret = -EEXIST;
> > + goto err_free_adpt;
>
> No, this doesn't work. Someone should add a comment here explaining
> why.
>
> This function is a bit complicated because we sometimes allocate "adpt"
> and sometimes we don't. Why can we not make it consistently one way or
> the other? This is not my code and I don't know. But presumably there
> is a good reason. I looked up the previous discussion of this and found
> this thread.
>
> https://lore.kernel.org/all/78cc59b31042f865e947a2c09a5d10cc60ddc01c.camel@microchip.com/
>
> Anyway, in the end, we're trying to clean up and on the other error
> paths we're allowed to free "adpt" even though we didn't allocate it.
>
> However once it's got a channel linked then we cannot. At that stage
> "adpt" is already added to the &iface->p->channel_list list. The
> release_adapter() adapter function will free it without removing it from
> the list so it leads to a use after free.
>
> However, memory on this path is not leaked as your commit message says.
> "adpt" is still on the lists. The stuff is in a messed up state so the
> user will need to tear it all down manually and recreate the
> configuration. Quoting the email I linked to, "This
> involves the call to mdev_link_destroy_link_store() that cleans up
> everything."
>
> So we can't apply your patch because it leads to a use after free. But
> we could apply a patch which adds a comment like:
>
> /*
> * This error path doesn't leak. If the channel is already set
> * up then something has gone badly wrong. The user will have
> * to tear everything down and reconfigure from scratch. The
> * memory will be released via mdev_link_destroy_link_store().
> *
> */
>
Thank you for your correction and advise.
We would like to submit a new patch to add such comment.\
Regards,
Zhipeng.
> regards,
> dan carpenter
Powered by blists - more mailing lists