lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZshgieaM0VaMkjBj@ryzen.lan>
Date: Fri, 23 Aug 2024 12:12:25 +0200
From: Niklas Cassel <cassel@...nel.org>
To: Zheng Qixing <zhengqixing@...weicloud.com>
Cc: dlemoal@...nel.org, linux-ide@...r.kernel.org,
	linux-kernel@...r.kernel.org, yukuai3@...wei.com,
	yi.zhang@...wei.com, yangerkun@...wei.com, zhengqixing@...wei.com
Subject: Re: [PATCH v2] ata: libata: Fix memory leak for error path in
 ata_host_alloc()

On Thu, Aug 22, 2024 at 11:30:50AM +0800, Zheng Qixing wrote:
> From: Zheng Qixing <zhengqixing@...wei.com>
> 
> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
> for a port, the allocated 'host' structure is not freed before returning
> from the function. This results in a potential memory leak.

This sentence is wrong.

If ata_port_alloc() fails, we must have already called
devres_alloc(ata_devres_release, ...);
which means that when:

	ap = ata_port_alloc(host);
	if (!ap)
		goto err_out;


...

err_out:
	devres_release_group(dev, NULL);
	return NULL;


devres_release_group() will trigger a call to ata_host_release().
ata_host_release() calls kfree(host).

So we will not leak "host" if ata_port_alloc() fails.


> 
> This patch adds a kfree(host) before the error handling code is executed
> to ensure that the 'host' structure is properly freed in case of an
> allocation failure.
> 
> Signed-off-by: Zheng Qixing <zhengqixing@...wei.com>
> ---
> Changes in v2:
>  - error path is wrong in v1
> 
>  drivers/ata/libata-core.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> index e4023fc288ac..f27a18990c38 100644
> --- a/drivers/ata/libata-core.c
> +++ b/drivers/ata/libata-core.c
> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
>  	}
>  
>  	dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
> -	if (!dr)
> +	if (!dr) {
> +		kfree(host);
>  		goto err_out;

This code does free "host" if devres_alloc() fails, which looks correct,
as "host" will currently be leaked if devres_alloc() fails.

However, that is not what the commit log above claims :P

Please update the commit message to reflect reality.


Kind regards,
Niklas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ