2003-03-12 20:52:50

by Oleg Drokin

[permalink] [raw]
Subject: [2.4] Memleak/unchecked user access in Megaraid driver?

Hello!

Seems there is a memleak on exit path and unchecked user addresses access
in megaraid driver from 2.4-current.

Probably something like following patch should be applied (probably
somebody should review it first anyway, I do not have ability to test it,
but it looks correct to me).

Found with help of smatch + enhanced unfree script.

Bye,
Oleg

===== drivers/scsi/megaraid.c 1.21 vs edited =====
--- 1.21/drivers/scsi/megaraid.c Fri Dec 13 12:29:59 2002
+++ edited/drivers/scsi/megaraid.c Wed Mar 12 23:59:09 2003
@@ -4895,19 +4895,18 @@

if( kvaddr == NULL ) {
printk(KERN_WARNING "megaraid:allocation failed\n");
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) /*0x20400 */
- kfree(scsicmd);
-#else
- scsi_init_free((char *)scsicmd, sizeof(Scsi_Cmnd));
-#endif
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto out;
}

ioc.ui.fcs.buffer = kvaddr;

if (inlen) {
/* copyin the user data */
- copy_from_user(kvaddr, (char *)uaddr, length );
+ if (copy_from_user(kvaddr, (char *)uaddr, length )) {
+ ret = -EFAULT;
+ goto out;
+ }
}
}

@@ -4925,7 +4924,8 @@

if( !scsicmd->result && outlen ) {
if (copy_to_user(uaddr, kvaddr, length))
- return -EFAULT;
+ ret = -EFAULT;
+ goto out;
}

/*
@@ -4944,6 +4944,7 @@
put_user (scsicmd->result, &uioc->mbox[17]);
}

+out:
if (kvaddr) {
dma_free_consistent(pdevp, length, kvaddr, dma_addr);
}