| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9a07d958-a114-072f-0592-b48e0d3c50e5@iogearbox.net>
Date: Mon, 21 May 2018 22:39:01 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Martin KaFai Lau <kafai@...com>,
Mathieu Xhonneux <m.xhonneux@...il.com>
Cc: netdev@...r.kernel.org, alexei.starovoitov@...il.com
Subject: Re: [PATCH] bpf: fix mem leak in error path of lwt bpf setup
On 05/21/2018 07:44 PM, Martin KaFai Lau wrote:
> On Sun, May 20, 2018 at 02:08:57PM +0100, Mathieu Xhonneux wrote:
>> In bpf_parse_prog, if bpf_prog_get_type fails, the function is
>> immediately terminated without freeing the previously allocated
>> prog->name.
>> This patch adds a kfree before the return.
>>
>> Signed-off-by: Mathieu Xhonneux <m.xhonneux@...il.com>
>> ---
>> net/core/lwt_bpf.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
>> index e7e626fb87bb..e142a7a32e46 100644
>> --- a/net/core/lwt_bpf.c
>> +++ b/net/core/lwt_bpf.c
>> @@ -223,8 +223,10 @@ static int bpf_parse_prog(struct nlattr *attr, struct bpf_lwt_prog *prog,
>>
>> fd = nla_get_u32(tb[LWT_BPF_PROG_FD]);
>> p = bpf_prog_get_type(fd, type);
>> - if (IS_ERR(p))
>> + if (IS_ERR(p)) {
>> + kfree(prog->name);
> I don't think it is needed.
> The caller, "bpf_build_state()", does bpf_destroy_state() during error
> out and it will eventually free up "name".
Agree, it's not needed in lwt/bpf due to call to destructor in error path.
>> return PTR_ERR(p);
>> + }
>>
>> prog->prog = p;
>>
>> --
>> 2.16.1
>>
Powered by blists - more mailing lists