lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20191217115358.GA730@hmswarspite.think-freely.org>
Date:   Tue, 17 Dec 2019 06:53:58 -0500
From:   Neil Horman <nhorman@...driver.com>
To:     Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
Cc:     syzbot <syzbot+772d9e36c490b18d51d1@...kaller.appspotmail.com>,
        davem@...emloft.net, linux-kernel@...r.kernel.org,
        linux-sctp@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, vyasevich@...il.com
Subject: Re: memory leak in sctp_stream_init

On Mon, Dec 16, 2019 at 09:37:16PM -0300, Marcelo Ricardo Leitner wrote:
> On Mon, Dec 16, 2019 at 11:56:38AM -0300, Marcelo Ricardo Leitner wrote:
> ...
> > Considering that genradix_prealloc() failure is not fatal, seems the
> > fix here is to just ignore the failure in sctp_stream_alloc_out() and
> > let genradix try again later on.
> 
> Better yet, this fixes it here:
> 
> ---8<---
> 
> diff --git a/net/sctp/stream.c b/net/sctp/stream.c
> index df60b5ef24cb..e0b01bf912b3 100644
> --- a/net/sctp/stream.c
> +++ b/net/sctp/stream.c
> @@ -84,8 +84,10 @@ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
>  		return 0;
>  
>  	ret = genradix_prealloc(&stream->out, outcnt, gfp);
> -	if (ret)
> +	if (ret) {
> +		genradix_free(&stream->out);
>  		return ret;
> +	}
>  
>  	stream->outcnt = outcnt;
>  	return 0;
> @@ -100,8 +102,10 @@ static int sctp_stream_alloc_in(struct sctp_stream *stream, __u16 incnt,
>  		return 0;
>  
>  	ret = genradix_prealloc(&stream->in, incnt, gfp);
> -	if (ret)
> +	if (ret) {
> +		genradix_free(&stream->in);
>  		return ret;
> +	}
>  
>  	stream->incnt = incnt;
>  	return 0;
> 
I get how that fixes this, but that doesn't really seem like the right fix in my
mind.  Shouldn't genradix_prealloc internally free any memory its allocated if
it fails part way through its operation?

Neil

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ