lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALGdzurVr4djqSLkv0WfqU_t2g4r5MqAic2bakrnyHbO38VY8w@mail.gmail.com>
Date: Mon, 4 Mar 2024 20:44:22 -0600
From: Chenyuan Yang <chenyuan0y@...il.com>
To: mchehab@...nel.org, linux-media@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Cc: Zijie Zhao <zzjas98@...il.com>, syzkaller@...glegroups.com
Subject: [Linux Kernel Bug] memory leak in dvb_dvr_do_ioctl

Dear Linux Developers for DVB,

We encountered "memory leak in dvb_dvr_do_ioctl" when testing the
DVB driver with Syzkaller and our generated specifications.

The C reproducer and the config for the kernel are attached.

```
BUG: memory leak
unreferenced object 0xffffc9000ae81000 (size 4096):
  comm "syz-executor.0", pid 23888, jiffies 4295016268 (age 8.980s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff8541ee5e>] create_object mm/kmemleak.c:761 [inline]
    [<ffffffff8541ee5e>] kmemleak_vmalloc+0x2e/0x90 mm/kmemleak.c:1082
    [<ffffffff816382f6>] __vmalloc_node_range+0xc76/0xdb0 mm/vmalloc.c:3348
    [<ffffffff816386c2>] __vmalloc_node mm/vmalloc.c:3385 [inline]
    [<ffffffff816386c2>] vmalloc+0x52/0x60 mm/vmalloc.c:3418
    [<ffffffff83db1c8c>] dvb_dvr_set_buffer_size
drivers/media/dvb-core/dmxdev.c:293 [inline]
    [<ffffffff83db1c8c>] dvb_dvr_do_ioctl+0x12c/0x2a0
drivers/media/dvb-core/dmxdev.c:1296
    [<ffffffff83db1252>] dvb_usercopy+0x82/0x220
drivers/media/dvb-core/dvbdev.c:986
    [<ffffffff83db1b11>] dvb_dvr_ioctl+0x31/0x40
drivers/media/dvb-core/dmxdev.c:1333
    [<ffffffff8171ca88>] vfs_ioctl fs/ioctl.c:51 [inline]
    [<ffffffff8171ca88>] __do_sys_ioctl fs/ioctl.c:871 [inline]
    [<ffffffff8171ca88>] __se_sys_ioctl fs/ioctl.c:857 [inline]
    [<ffffffff8171ca88>] __x64_sys_ioctl+0x108/0x150 fs/ioctl.c:857
    [<ffffffff8540b150>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    [<ffffffff8540b150>] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
    [<ffffffff8560008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b
```

The memory leak originates from the allocated memory `newmem = vmalloc(size);`,
as referenced in the code at
[https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L293].
Besides, this memory leak is triggered when enabling
`CONFIG_DVB_MMAP=y`, which will be used when freeing the memory in
`dvb_dvr_release`
(https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L214).

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@...il.com>

Best,
Chenyuan

Download attachment "config" of type "application/octet-stream" (249711 bytes)

Download attachment "dvb_ioctl_memleak.c" of type "application/octet-stream" (78567 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ