| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Dec 2019 10:39:55 -0800
From: Jakub Kicinski <jakub.kicinski@...ronome.com>
To: Navid Emamdoost <navid.emamdoost@...il.com>
Cc: emamd001@....edu, smccaman@....edu, kjlu@....edu,
"David S. Miller" <davem@...emloft.net>,
Pablo Neira Ayuso <pablo@...filter.org>,
John Hurley <john.hurley@...ronome.com>,
Colin Ian King <colin.king@...onical.com>,
oss-drivers@...ronome.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] nfp: abm: fix memory leak in
nfp_abm_u32_knode_replace
On Thu, 26 Sep 2019 20:51:46 -0500, Navid Emamdoost wrote:
> In nfp_abm_u32_knode_replace if the allocation for match fails it should
> go to the error handling instead of returning. Updated other gotos to
> have correct errno returned, too.
>
> Signed-off-by: Navid Emamdoost <navid.emamdoost@...il.com>
> ---
> Changes in v2:
> - Reused err variable for erorr value returning.
> Changes in v3:
> - Fix the err value in the first goto, and fix subject prefix.
Ugh damn this. Apparently this "fix" has made the news:
https://news.softpedia.com/news/canonical-releases-major-kernel-security-update-for-ubuntu-19-10-and-18-04-lts-528433.shtml
https://nvd.nist.gov/vuln/detail/CVE-2019-19076
and (a) it would be a damn control path, root-only memory leak, but
also (b) upon closer inspection there is no leak here at all!
We don't need to delete the entry if we failed to allocate it...
The delete path is in case the entry for the handle is changed, but
if we're trying to allocate one anew there can't be any on the list.
Congratulations to whoever classified this as a security fix.
I will send a revert, and go ask for the CVE to be marked invalid.
What a waste of time. I should have paid more attention :/
> diff --git a/drivers/net/ethernet/netronome/nfp/abm/cls.c b/drivers/net/ethernet/netronome/nfp/abm/cls.c
> index 23ebddfb9532..9f8a1f69c0c4 100644
> --- a/drivers/net/ethernet/netronome/nfp/abm/cls.c
> +++ b/drivers/net/ethernet/netronome/nfp/abm/cls.c
> @@ -176,8 +176,10 @@ nfp_abm_u32_knode_replace(struct nfp_abm_link *alink,
> u8 mask, val;
> int err;
>
> - if (!nfp_abm_u32_check_knode(alink->abm, knode, proto, extack))
> + if (!nfp_abm_u32_check_knode(alink->abm, knode, proto, extack)) {
> + err = -EOPNOTSUPP;
> goto err_delete;
> + }
>
> tos_off = proto == htons(ETH_P_IP) ? 16 : 20;
>
> @@ -198,14 +200,18 @@ nfp_abm_u32_knode_replace(struct nfp_abm_link *alink,
> if ((iter->val & cmask) == (val & cmask) &&
> iter->band != knode->res->classid) {
> NL_SET_ERR_MSG_MOD(extack, "conflict with already offloaded filter");
> + err = -EOPNOTSUPP;
> goto err_delete;
> }
> }
>
> if (!match) {
> match = kzalloc(sizeof(*match), GFP_KERNEL);
> - if (!match)
> - return -ENOMEM;
> + if (!match) {
> + err = -ENOMEM;
> + goto err_delete;
> + }
> +
> list_add(&match->list, &alink->dscp_map);
> }
> match->handle = knode->handle;
> @@ -221,7 +227,7 @@ nfp_abm_u32_knode_replace(struct nfp_abm_link *alink,
>
> err_delete:
> nfp_abm_u32_knode_delete(alink, knode);
> - return -EOPNOTSUPP;
> + return err;
> }
>
> static int nfp_abm_setup_tc_block_cb(enum tc_setup_type type,
Powered by blists - more mailing lists