lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1668160371-39153-1-git-send-email-wangyufen@huawei.com> Date: Fri, 11 Nov 2022 17:52:51 +0800 From: Wang Yufen <wangyufen@...wei.com> To: <linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org> CC: <paul@...l-moore.com>, <jmorris@...ei.org>, <serge@...lyn.com>, <martin.lau@...nel.org>, <daniel@...earbox.net>, <ast@...nel.org>, <pabeni@...hat.com>, <kuba@...nel.org>, <edumazet@...gle.com>, Wang Yufen <wangyufen@...wei.com>, Stanislav Fomichev <sdf@...gle.com> Subject: [PATCH] net: fix memory leak in security_sk_alloc() kmemleak reports this issue: unreferenced object 0xffff88810b7835c0 (size 32): comm "test_progs", pid 270, jiffies 4294969007 (age 1621.315s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03 00 00 00 03 00 00 00 0f 00 00 00 00 00 00 00 ................ backtrace: [<00000000376cdeab>] kmalloc_trace+0x27/0x110 [<000000003bcdb3b6>] selinux_sk_alloc_security+0x66/0x110 [<000000003959008f>] security_sk_alloc+0x47/0x80 [<00000000e7bc6668>] sk_prot_alloc+0xbd/0x1a0 [<0000000002d6343a>] sk_alloc+0x3b/0x940 [<000000009812a46d>] unix_create1+0x8f/0x3d0 [<000000005ed0976b>] unix_create+0xa1/0x150 [<0000000086a1d27f>] __sock_create+0x233/0x4a0 [<00000000cffe3a73>] __sys_socket_create.part.0+0xaa/0x110 [<0000000007c63f20>] __sys_socket+0x49/0xf0 [<00000000b08753c8>] __x64_sys_socket+0x42/0x50 [<00000000b56e26b3>] do_syscall_64+0x3b/0x90 [<000000009b4871b8>] entry_SYSCALL_64_after_hwframe+0x63/0xcd The issue occurs in the following scenarios: unix_create1() sk_alloc() sk_prot_alloc() security_sk_alloc() call_int_hook() hlist_for_each_entry() entry1->hook.sk_alloc_security <-- selinux_sk_alloc_security() succeeded, <-- sk->security alloced here. entry2->hook.sk_alloc_security <-- bpf_lsm_sk_alloc_security() failed goto out_free; ... <-- the sk->security not freed, memleak To fix, if security_sk_alloc() failed and sk->security not null, goto out_free_sec to reclaim resources. I'm not sure whether this fix makes sense, but if hook lists don't support this usage, might need to modify the "tools/testing/selftests/bpf/progs/lsm_cgroup.c" test case. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Wang Yufen <wangyufen@...wei.com> Cc: Stanislav Fomichev <sdf@...gle.com> --- net/core/sock.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/core/sock.c b/net/core/sock.c index a3ba035..e457a9d 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2030,8 +2030,11 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority, sk = kmalloc(prot->obj_size, priority); if (sk != NULL) { - if (security_sk_alloc(sk, family, priority)) + if (security_sk_alloc(sk, family, priority)) { + if (sk->sk_security) + goto out_free_sec; goto out_free; + } if (!try_module_get(prot->owner)) goto out_free_sec; -- 1.8.3.1
Powered by blists - more mailing lists