lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190424180840.515b88af@cakuba.netronome.com> Date: Wed, 24 Apr 2019 18:08:40 -0700 From: Jakub Kicinski <jakub.kicinski@...ronome.com> To: Wenwen Wang <wang6495@....edu> Cc: Boris Pismenny <borisp@...lanox.com>, Aviad Yehezkel <aviadye@...lanox.com>, Dave Watson <davejwatson@...com>, John Fastabend <john.fastabend@...il.com>, Daniel Borkmann <daniel@...earbox.net>, "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org (open list:NETWORKING [TLS]), linux-kernel@...r.kernel.org (open list), Vakul Garg <vakul.garg@....com> Subject: Re: [PATCH] net: tls: fix a memory leak bug On Wed, 24 Apr 2019 15:18:07 -0500, Wenwen Wang wrote: > In decrypt_internal(), a memory block 'mem' is allocated through kmalloc() > to hold aead_req, sgin[], sgout[], aad, and iv. This memory block should be > freed after it is used, before this function is returned. However, if the > return value of the function invocation of tls_do_decryption() is > -EINPROGRESS, this memory block is actually not freed, which is a memory > leak bug. > > To fix this issue, free the allocated block before the error code > -EINPROGRESS is returned. > > Signed-off-by: Wenwen Wang <wang6495@....edu> Did you find this by code inspection or is this provable at runtime (kmemleak or such)? > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c > index b50ced8..22445bb 100644 > --- a/net/tls/tls_sw.c > +++ b/net/tls/tls_sw.c > @@ -1445,8 +1445,10 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, > /* Prepare and submit AEAD request */ > err = tls_do_decryption(sk, skb, sgin, sgout, iv, > data_len, aead_req, async); > - if (err == -EINPROGRESS) > + if (err == -EINPROGRESS) { > + kfree(mem); > return err; Mm... don't think so. -EINPROGRESS is special, it means something is working on the request asynchronously here. I think this memory is freed in tls_decrypt_done(): kfree(aead_req); Note that aead_req is the first member of the allocated buffer. CCing Vakul > + } > > /* Release the pages in case iov was mapped to pages */ > for (; pages > 0; pages--)
Powered by blists - more mailing lists