lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20141012170756.19d1d12e@uryu.home.lan>
Date:	Sun, 12 Oct 2014 17:07:56 +0200
From:	Stephen Hemminger <stephen@...workplumber.org>
To:	Andy Grover <andy.grover@...cle.com>
Cc:	netdev@...r.kernel.org
Subject: Fw: [Bug 86081] New: Can't free the return value of sock_kmalloc()
 when the value is NULL



Begin forwarded message:

Date: Sun, 12 Oct 2014 01:26:47 -0700
From: "bugzilla-daemon@...zilla.kernel.org" <bugzilla-daemon@...zilla.kernel.org>
To: "stephen@...workplumber.org" <stephen@...workplumber.org>
Subject: [Bug 86081] New: Can't free the return value of sock_kmalloc() when the value is NULL


https://bugzilla.kernel.org/show_bug.cgi?id=86081

            Bug ID: 86081
           Summary: Can't free the return value of sock_kmalloc() when the
                    value is NULL
           Product: Networking
           Version: 2.5
    Kernel Version: 3.14
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Other
          Assignee: shemminger@...ux-foundation.org
          Reporter: rucsoftsec@...il.com
        Regression: No

in function rds_cmsg_rdma_args() at net/rds/rdma.c:L546, the variable
"iovstack" is an array and the pointer variable *iovs is equal to iovstack (at
Line 554). As the the return value of sock_kmalloc() (called at line 578),when
"iovs" is NULL, function sock_kfree_s() will be called(at line 697) and
function sock_kfree_s() will free "iovs".  
The related code snippets in function rds_cmsg_rdma_args() are as followings.
rds_cmsg_rdma_args() at net/rds/rdma.c:L546
546 int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
547                           struct cmsghdr *cmsg)
548 {
549         struct rds_rdma_args *args;
550         struct rm_rdma_op *op = &rm->rdma;
551         int nr_pages;
552         unsigned int nr_bytes;
553         struct page **pages = NULL;
554         struct rds_iovec iovstack[UIO_FASTIOV], *iovs = iovstack;
            ...
576         iov_size = args->nr_local * sizeof(struct rds_iovec);
577         if (args->nr_local > UIO_FASTIOV) {
578                 iovs = sock_kmalloc(rds_rs_to_sk(rs), iov_size,
GFP_KERNEL);
579                 if (!iovs) {
580                         ret = -ENOMEM;
581                         goto out;
582                 }
583         }
            ...
695 out:
696         if (iovs != iovstack)
697                 sock_kfree_s(rds_rs_to_sk(rs), iovs, iov_size);
698         kfree(pages);
699         if (ret)
700                 rds_rdma_free_op(op);
701         else
702                 rds_stats_inc(s_send_rdma);
703 
704         return ret;
705 }

Thak you!

RUC_Soft_Sec, supported by China.X.Orion

-- 
You are receiving this mail because:
You are the assignee for the bug.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ