lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+aRj7Jt4cr549TJwqtsDHe-M2aKHi4vEmApZAZNEHDCEQ@mail.gmail.com>
Date:   Tue, 9 Jan 2018 18:23:54 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Steffen Klassert <steffen.klassert@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        David Miller <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Eric Biggers <ebiggers3@...il.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: AF_KEY: memory leak in key_notify_policy

Hello,

syzkaller has hit the following memory leak on 4.15-rc7:

unreferenced object 0xffff88001ea69cc0 (size 232):
  comm "syz-executor6", pid 4338, jiffies 4294719848 (age 11.965s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000004139cfa6>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<000000004139cfa6>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<000000004139cfa6>] slab_alloc_node mm/slub.c:2725 [inline]
    [<000000004139cfa6>] kmem_cache_alloc_node+0x12d/0x2a0 mm/slub.c:2761
    [<0000000071fee1f9>] __alloc_skb+0x103/0x7c0 net/core/skbuff.c:193
    [<00000000b7305c65>] alloc_skb include/linux/skbuff.h:983 [inline]
    [<00000000b7305c65>] pfkey_xfrm_policy2msg_prep+0x29/0x50
net/key/af_key.c:2029
    [<000000008b2518b3>] key_notify_policy net/key/af_key.c:2192 [inline]
    [<000000008b2518b3>] pfkey_send_policy_notify+0x47f/0x920
net/key/af_key.c:3065
    [<0000000038eae3c6>] km_policy_notify+0x198/0x330 net/xfrm/xfrm_state.c:1907
    [<000000000c1a40c2>] xfrm_add_policy+0x733/0x9a0 net/xfrm/xfrm_user.c:1613
    [<000000001c692c3f>] xfrm_user_rcv_msg+0x454/0x890 net/xfrm/xfrm_user.c:2591
    [<0000000048c3aba7>] netlink_rcv_skb+0x275/0x550
net/netlink/af_netlink.c:2408
    [<00000000649d0c12>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599
    [<00000000c67992ca>] netlink_unicast_kernel
net/netlink/af_netlink.c:1275 [inline]
    [<00000000c67992ca>] netlink_unicast+0x567/0x710
net/netlink/af_netlink.c:1301
    [<00000000614f28d1>] netlink_sendmsg+0x9c4/0xf60
net/netlink/af_netlink.c:1864
    [<000000004abc1891>] sock_sendmsg_nosec net/socket.c:636 [inline]
    [<000000004abc1891>] sock_sendmsg+0xd2/0x120 net/socket.c:646
    [<0000000067a5f2bd>] ___sys_sendmsg+0x7f6/0x930 net/socket.c:2026
    [<00000000ba6aef1c>] __sys_sendmsg+0xe6/0x220 net/socket.c:2060
    [<0000000051af4885>] SYSC_sendmsg net/socket.c:2071 [inline]
    [<0000000051af4885>] SyS_sendmsg+0x36/0x60 net/socket.c:2067
    [<00000000e00c5f48>] entry_SYSCALL_64_fastpath+0x23/0x9a

It seems that key_notify_policy() fails to free the skb when
pfkey_xfrm_policy2msg() fails.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ