| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240904045820.5510-1-riyandhiman14@gmail.com> Date: Wed, 4 Sep 2024 10:28:18 +0530 From: Riyan Dhiman <riyandhiman14@...il.com> To: bvanassche@....org, aacraid@...rosemi.com, James.Bottomley@...senPartnership.com, martin.petersen@...cle.com Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH] scsi: aacraid: Fix memory leak in open_getadapter_fib function >>> Just above the copy_to_user() call there is the following statement: >>> >>> list_add_tail(&fibctx->next, &dev->fib_list); >>> >>> Does that mean that the above kfree() will cause list corruption? >> >> Yes, you are correct. I overlooked that fibctx is part of a list, and freeing the >> memory without removing the list entry would corrupt the list. >> The list entry should be deleted before freeing the memory if copy_to_user() fails. > > Are you sure that this is what the code should do? If copy_to_user function fails that means data was not copied to args successfully, which can leads to issue as args might remain unchanged or in an uninteded state. Since we are returning an -EFAULT error, we should free fibctx and remove the list entry in the case of an error. If there are any other methods, additional checks, or potential issues with this approach that I should consider, please let me know, and I'll make the necessary adjustments promptly. Regards, Riyan Dhiman
Powered by blists - more mailing lists