lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250116190717.8923-1-zfigura@codeweavers.com>
Date: Thu, 16 Jan 2025 13:07:17 -0600
From: Elizabeth Figura <zfigura@...eweavers.com>
To: Arnd Bergmann <arnd@...db.de>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org,
	wine-devel@...ehq.org,
	Elizabeth Figura <zfigura@...eweavers.com>
Subject: [PATCH] ntsync: Fix reference leaks in the remaining create ioctls.

When ntsync_obj_get_fd() fails, we free the ntsync object but forget to drop the
"file" member.

This was fixed for semaphores in 0e7d523b5f7a23b1dc6ceceb04e31a60e9e3321d, but
that commit did not fix the similar leak for events and mutexes, since they were
part of patches not yet in the mainline kernel. Fix those cases.

Fixes: 5bc2479a3585b "ntsync: Introduce NTSYNC_IOC_CREATE_MUTEX."
Fixes: 4c7404b9c2b57 "ntsync: Introduce NTSYNC_IOC_CREATE_EVENT."
Signed-off-by: Elizabeth Figura <zfigura@...eweavers.com>
---
 drivers/misc/ntsync.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/ntsync.c b/drivers/misc/ntsync.c
index b6441e978974..055395cde42b 100644
--- a/drivers/misc/ntsync.c
+++ b/drivers/misc/ntsync.c
@@ -781,7 +781,7 @@ static int ntsync_create_mutex(struct ntsync_device *dev, void __user *argp)
 	mutex->u.mutex.owner = args.owner;
 	fd = ntsync_obj_get_fd(mutex);
 	if (fd < 0)
-		kfree(mutex);
+		ntsync_free_obj(mutex);
 
 	return fd;
 }
@@ -802,7 +802,7 @@ static int ntsync_create_event(struct ntsync_device *dev, void __user *argp)
 	event->u.event.signaled = args.signaled;
 	fd = ntsync_obj_get_fd(event);
 	if (fd < 0)
-		kfree(event);
+		ntsync_free_obj(event);
 
 	return fd;
 }

base-commit: 0e7d523b5f7a23b1dc6ceceb04e31a60e9e3321d
-- 
2.45.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ