lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240915072336.GF2825852@ZenIV>
Date: Sun, 15 Sep 2024 08:23:36 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Daniel Yang <danielyangkang@...il.com>
Cc: Namjae Jeon <linkinjeon@...nel.org>,
	Sungjong Seo <sj1557.seo@...sung.com>,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	syzbot+e1c69cadec0f1a078e3d@...kaller.appspotmail.com
Subject: Re: [PATCH] fs/exfat: resolve memory leak from
 exfat_create_upcase_table()

On Sun, Sep 15, 2024 at 08:05:46AM +0100, Al Viro wrote:

> 	Interesting...  How does the mainline manage to avoid the
> call of exfat_kill_sb(), which should call_rcu() delayed_free(), which
> calls exfat_free_upcase_table()?
> 
> 	Could you verify that your reproducer does *NOT* hit that
> callchain?  AFAICS, the only caller of exfat_load_upcase_table()
> is exfat_create_upcase_table(), called by __exfat_fill_super(),
> called by exfat_fill_super(), passed as callback to get_tree_bdev().
> And if that's the case, ->kill_sb() should be called on failure and
> with non-NULL ->s_fs_info...
> 
> 	Something odd is going on there.

	Yecchh...  OK, I see what's happening, and the patch is probably
correct, but IMO it's way too subtle.  Unless I'm misreading what's
going on there, you have the following:
	exfat_load_upcase_table() have 3 failure exits.

One of them is with -ENOMEM; no table allocated and we proceed to
exfat_load_default_upcase_table().

Another is with -EIO.  In that case the table is left allocated, the
caller of exfat_load_upcase_table() returns immediately and the normal
logics in ->kill_sb() takes it out.

Finally, there's one with -EINVAL.  There the caller proceeds to
exfat_load_default_upcase_table(), which is where the mainline leaks.
That's the case your patch adjusts.

Note that resulting rules for exfat_load_upcase_table()
	* should leave for ->kill_sb() to free if failing with -EIO.
	* should make sure it's freed on all other failure exits.

At the very least that needs to be documented.  However, since the
problem happens when the caller proceeds to exfat_load_default_upcase_table(),
the things would be simpler if you had taken the "need to free what we'd
allocated" logics into the place where that logics is visible.  I.e.

                        ret = exfat_load_upcase_table(sb, sector, num_sectors,
                                le32_to_cpu(ep->dentry.upcase.checksum));

                        brelse(bh);
                        if (ret && ret != -EIO) {
				/* clean after exfat_load_upcase_table() */
				exfat_free_upcase_table(sbi);
                                goto load_default;
			}
IMO it would be less brittle that way.  And commit message needs
the explanation of the leak mechanism - a link to reporter is
nice, but it doesn't explain what's going on.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ