lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhTj+asuf=n1PVt0J74VaQuXPL5jQvZeoEpxg+vRFRb2rg@mail.gmail.com>
Date: Sun, 7 Dec 2025 16:45:05 -0500
From: Paul Moore <paul@...l-moore.com>
To: Will Rosenberg <whrosenb@....edu>
Cc: Oliver Rosenberg <olrose55@...il.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
	Tejun Heo <tj@...nel.org>, Casey Schaufler <casey@...aufler-ca.com>, 
	Ondrej Mosnacek <omosnace@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4] kernfs: fix memory leak of kernfs_iattrs in __kernfs_new_node

On Tue, Nov 25, 2025 at 10:14 AM Will Rosenberg <whrosenb@....edu> wrote:
>
> There exists a memory leak of kernfs_iattrs contained as an element
> of kernfs_node allocated in __kernfs_new_node(). __kernfs_setattr()
> allocates kernfs_iattrs as a sub-object, and the LSM security check
> incorrectly errors out and does not free the kernfs_iattrs sub-object.
>
> Make an additional error out case that properly frees kernfs_iattrs if
> security_kernfs_init_security() fails.
>
> Fixes: e19dfdc83b60 ("kernfs: initialize security of newly created nodes")
> Co-developed-by: Oliver Rosenberg <olrose55@...il.com>
> Signed-off-by: Oliver Rosenberg <olrose55@...il.com>
> Signed-off-by: Will Rosenberg <whrosenb@....edu>
> ---
>
> Notes:
>     V1 -> V2: meant as a RESEND, but the commit message and notes were also made more succinct. Patch remained unchanged. v1 was not sent to LKML by mistake.
>     V2 -> V3: Update Fixes tag in commit message. Patch remains unchanged.
>     V3 -> V4: Use kmem_cache_free() in place of kfree(). To be safe and consistent, call simple_xattrs_free() in case simple_xattr is allocated in the future.
>
>  fs/kernfs/dir.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
> index a670ba3e565e..5c0efd6b239f 100644
> --- a/fs/kernfs/dir.c
> +++ b/fs/kernfs/dir.c
> @@ -675,11 +675,14 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root,
>         if (parent) {
>                 ret = security_kernfs_init_security(parent, kn);
>                 if (ret)
> -                       goto err_out3;
> +                       goto err_out4;
>         }
>
>         return kn;
>
> + err_out4:
> +       simple_xattrs_free(&kn->iattr->xattrs, NULL);
> +       kmem_cache_free(kernfs_iattrs_cache, kn->iattr);
>   err_out3:
>         spin_lock(&root->kernfs_idr_lock);
>         idr_remove(&root->ino_idr, (u32)kernfs_ino(kn));
>
> base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
> --
> 2.34.1

I haven't seen any feedback that this has been merged, or is in the
queue to be merged, so do you want to rebase against v6.18 or
v6.19-rc1 (when available) and resend, this time CC'ing the LSM list?
A rebase may not be necessary, but if you're going to resend, you
should verify it merges cleanly.

Since it is related to the kernfs LSM hooks, I don't have a problem
merging this via the LSM tree once the latest patch has had a quick
re-review.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ