| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Jan 2018 20:53:03 +0000
From: Al Viro <viro@...IV.linux.org.uk>
To: David Miller <davem@...emloft.net>
Cc: netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Eric Dumazet <edumazet@...gle.com>,
Willem de Bruijn <willemb@...gle.com>,
syzkaller <syzkaller@...glegroups.com>,
Dmitry Vyukov <dvyukov@...gle.com>
Subject: Re: net: memory leak in socket
On Tue, Jan 09, 2018 at 07:58:08PM +0100, Dmitry Vyukov wrote:
> > Argh... Got broken by "make sock_alloc_file() do sock_release() on failures" -
> > cleanup after sock_map_fd() failure got pulled all the way into sock_alloc_file(),
> > but it used to serve the case when sock_map_fd() failed *before* getting to
> > sock_alloc_file().
> >
> > Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
> > Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
>
> Please add:
>
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Sure, no problem. Dave, which tree should that go through? Do you pick it, or
should I send the below directly to Linus?
----
Fix a leak in socket(2) when we fail to allocate a file descriptor.
Got broken by "make sock_alloc_file() do sock_release() on failures" -
cleanup after sock_map_fd() failure got pulled all the way into
sock_alloc_file(), but it used to serve the case when sock_map_fd()
failed *before* getting to sock_alloc_file() as well, and that got
lost. Trivial to fix, fortunately.
Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
---
diff --git a/net/socket.c b/net/socket.c
index bbd2e9ceb692..1536515b6437 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -430,8 +430,10 @@ static int sock_map_fd(struct socket *sock, int flags)
{
struct file *newfile;
int fd = get_unused_fd_flags(flags);
- if (unlikely(fd < 0))
+ if (unlikely(fd < 0)) {
+ sock_release(sock);
return fd;
+ }
newfile = sock_alloc_file(sock, flags, NULL);
if (likely(!IS_ERR(newfile))) {
Powered by blists - more mailing lists