lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-id: <170829463835.1530.4794427167476868043@noble.neil.brown.name>
Date: Mon, 19 Feb 2024 09:17:18 +1100
From: "NeilBrown" <neilb@...e.de>
To: "Fedor Pchelkin" <pchelkin@...ras.ru>
Cc: "Aleksandr Burakov" <a.burakov@...alinux.ru>,
 "Chuck Lever" <chuck.lever@...cle.com>, "Jeff Layton" <jlayton@...nel.org>,
 linux-nfs@...r.kernel.org, "Dai Ngo" <Dai.Ngo@...cle.com>,
 linux-kernel@...r.kernel.org, "Tom Talpey" <tom@...pey.com>,
 "Olga Kornievskaia" <kolga@...app.com>, lvc-project@...uxtesting.org
Subject: Re: [lvc-project] [PATCH] nfsd: fix memory leak in
 __cld_pipe_inprogress_downcall()

On Mon, 19 Feb 2024, Fedor Pchelkin wrote:
> Hello Aleksandr,
> 
> On 24/02/16 04:45PM, Aleksandr Burakov wrote:
> > Dynamic memory, referenced by 'princhash.data' and 'name.data', 
> > is allocated by calling function 'memdup_user' and lost 
> > at __cld_pipe_inprogress_downcall() function return
> 
> It is not actually lost. If nfs4_client_to_reclaim() fails and thus
> returns NULL - this error case is already properly handled.
> 
> If nfs4_client_to_reclaim() succeeds then reference to the memory in
> question is passed to crp->cr_name.data and crp->cr_princhash.data
> correspondingly, and crp->cr_strhash entry is added to the list associated
> with nfsd_net. In this case the memory is supposed to be freed by
> nfs4_remove_reclaim_record(). See comment for nfs4_client_to_reclaim().
> 
> So I think the patch just introduces a double-free.

Agreed - this patch is incorrect.

Thanks,
NeilBrown


> 
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 11a60d159259 ("nfsd: add a "GetVersion" upcall for nfsdcld")
> > Signed-off-by: Aleksandr Burakov <a.burakov@...alinux.ru>
> > ---
> >  fs/nfsd/nfs4recover.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> > index 2c060e0b1604..02663484782d 100644
> > --- a/fs/nfsd/nfs4recover.c
> > +++ b/fs/nfsd/nfs4recover.c
> > @@ -850,6 +850,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> >  			kfree(princhash.data);
> >  			return -EFAULT;
> >  		}
> > +		kfree(name.data);
> > +		kfree(princhash.data);
> >  		return nn->client_tracking_ops->msglen;
> >  	}
> >  	return -EFAULT;
> > -- 
> > 2.25.1
> 
> --
> Fedor
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ