lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 7 Oct 2019 13:22:15 +0200
From:   Sabrina Dubroca <sd@...asysnail.net>
To:     Taehee Yoo <ap420073@...il.com>
Cc:     davem@...emloft.net, netdev@...r.kernel.org,
        linux-wireless@...r.kernel.org, jakub.kicinski@...ronome.com,
        johannes@...solutions.net, j.vosburgh@...il.com, vfalico@...il.com,
        andy@...yhouse.net, jiri@...nulli.us, roopa@...ulusnetworks.com,
        saeedm@...lanox.com, manishc@...vell.com, rahulv@...vell.com,
        kys@...rosoft.com, haiyangz@...rosoft.com,
        stephen@...workplumber.org, sashal@...nel.org, hare@...e.de,
        varun@...lsio.com, ubraun@...ux.ibm.com, kgraul@...ux.ibm.com,
        jay.vosburgh@...onical.com, schuffelen@...gle.com, bjorn@...k.no
Subject: Re: [PATCH net v4 12/12] virt_wifi: fix refcnt leak in module exit
 routine

2019-09-28, 16:48:43 +0000, Taehee Yoo wrote:
> virt_wifi_newlink() calls netdev_upper_dev_link() and it internally
> holds reference count of lower interface.
> 
> Current code does not release a reference count of the lower interface
> when the lower interface is being deleted.
> So, reference count leaks occur.
> 
> Test commands:
>     ip link add dummy0 type dummy
>     ip link add vw1 link dummy0 type virt_wifi

There should also be "ip link del dummy0" in this reproducer, right?

[...]

> @@ -598,14 +634,24 @@ static int __init virt_wifi_init_module(void)
>  	/* Guaranteed to be locallly-administered and not multicast. */
>  	eth_random_addr(fake_router_bssid);
>  
> +	err = register_netdevice_notifier(&virt_wifi_notifier);
> +	if (err)
> +		return err;
> +

Here err is 0.

>  	common_wiphy = virt_wifi_make_wiphy();
>  	if (!common_wiphy)
> -		return -ENOMEM;
> +		goto notifier;

err is still 0 when we jump...

>  	err = rtnl_link_register(&virt_wifi_link_ops);
>  	if (err)
> -		virt_wifi_destroy_wiphy(common_wiphy);
> +		goto destroy_wiphy;
>  
> +	return 0;
> +
> +destroy_wiphy:
> +	virt_wifi_destroy_wiphy(common_wiphy);
> +notifier:
> +	unregister_netdevice_notifier(&virt_wifi_notifier);
>  	return err;
>  }

... so now we return 0 on failure. Can you add an "err = -ENOMEM"
before "common_wiphy = ..."?

Thanks.

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ