Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
Author: Mathieu Desnoyers <[email protected]>
Date: Tue Mar 30 00:04:00 2010 +0100
Subject: CRED: Fix memory leak in error handling
attempts to fix a memory leak in the error handling by making the offending
return statement into a jump down to the bottom of the function where a
kfree(tgcred) is inserted.
This is, however, incorrect, as it does a kfree() after doing put_cred() if
security_prepare_creds() fails. That will result in a double free if 'error'
is jumped to as put_cred() will also attempt to free the new tgcred record by
virtue of it being pointed to by the new cred record.
Signed-off-by: David Howells <[email protected]>
---
kernel/cred.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/cred.c b/kernel/cred.c
index e1dbe9e..ce1a52b 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
error:
put_cred(new);
+ return NULL;
+
free_tgcred:
#ifdef CONFIG_KEYS
kfree(tgcred);
* David Howells ([email protected]) wrote:
> Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
>
> Author: Mathieu Desnoyers <[email protected]>
> Date: Tue Mar 30 00:04:00 2010 +0100
> Subject: CRED: Fix memory leak in error handling
>
> attempts to fix a memory leak in the error handling by making the offending
> return statement into a jump down to the bottom of the function where a
> kfree(tgcred) is inserted.
>
> This is, however, incorrect, as it does a kfree() after doing put_cred() if
> security_prepare_creds() fails. That will result in a double free if 'error'
> is jumped to as put_cred() will also attempt to free the new tgcred record by
> virtue of it being pointed to by the new cred record.
OK, I missed the fact taht put_cred() performs the kfree. Thanks for the fix.
Acked-by: Mathieu Desnoyers <[email protected]>
>
> Signed-off-by: David Howells <[email protected]>
> ---
>
> kernel/cred.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e1dbe9e..ce1a52b 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
>
> error:
> put_cred(new);
> + return NULL;
> +
> free_tgcred:
> #ifdef CONFIG_KEYS
> kfree(tgcred);
>
--
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com
On Tue, 20 Apr 2010 22:41:18 +0100
David Howells <[email protected]> wrote:
> Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
>
> Author: Mathieu Desnoyers <[email protected]>
> Date: Tue Mar 30 00:04:00 2010 +0100
> Subject: CRED: Fix memory leak in error handling
>
> attempts to fix a memory leak in the error handling by making the offending
> return statement into a jump down to the bottom of the function where a
> kfree(tgcred) is inserted.
>
> This is, however, incorrect, as it does a kfree() after doing put_cred() if
> security_prepare_creds() fails. That will result in a double free if 'error'
> is jumped to as put_cred() will also attempt to free the new tgcred record by
> virtue of it being pointed to by the new cred record.
>
> Signed-off-by: David Howells <[email protected]>
> ---
>
> kernel/cred.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e1dbe9e..ce1a52b 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
>
> error:
> put_cred(new);
> + return NULL;
> +
> free_tgcred:
> #ifdef CONFIG_KEYS
> kfree(tgcred);
Oleg's umh-creds-kill-subprocess_info-cred-logic.patch removes
prepare_usermodehelper_creds() altogether. An option would have been
to promote that into 2.6.34?
On Thu, 22 Apr 2010, Andrew Morton wrote:
> > #ifdef CONFIG_KEYS
> > kfree(tgcred);
>
> Oleg's umh-creds-kill-subprocess_info-cred-logic.patch removes
> prepare_usermodehelper_creds() altogether. An option would have been
> to promote that into 2.6.34?
FYI, this fix is in Linus' tree, now.
--
James Morris
<[email protected]>