2022-08-22 11:56:21

by Stanislav Goriainov

[permalink] [raw]
Subject: [PATCH] ovl: Fix potential memory leak

ovl: Fix potential memory leak in ovl_lookup()

If memory for uperredirect was allocated with kstrdup()
in upperdir != NULL and d.redirect != NULL path,
it may be lost when upperredirect is reassigned later.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Stanislav Goriainov <[email protected]>
---
fs/overlayfs/namei.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index 69dc577974f8..226c69812379 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -1085,6 +1085,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
.mnt = ovl_upper_mnt(ofs),
};

+ kfree(upperredirect);
upperredirect = ovl_get_redirect_xattr(ofs, &upperpath, 0);
if (IS_ERR(upperredirect)) {
err = PTR_ERR(upperredirect);
--
2.34.1


2022-08-22 14:18:49

by David Disseldorp

[permalink] [raw]
Subject: Re: [PATCH] ovl: Fix potential memory leak

On Mon, 22 Aug 2022 14:52:57 +0300, Stanislav Goriainov wrote:

> ovl: Fix potential memory leak in ovl_lookup()
>
> If memory for uperredirect was allocated with kstrdup()
> in upperdir != NULL and d.redirect != NULL path,
> it may be lost when upperredirect is reassigned later.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Stanislav Goriainov <[email protected]>
> ---
> fs/overlayfs/namei.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
> index 69dc577974f8..226c69812379 100644
> --- a/fs/overlayfs/namei.c
> +++ b/fs/overlayfs/namei.c
> @@ -1085,6 +1085,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> .mnt = ovl_upper_mnt(ofs),
> };
>
> + kfree(upperredirect);
> upperredirect = ovl_get_redirect_xattr(ofs, &upperpath, 0);
> if (IS_ERR(upperredirect)) {
> err = PTR_ERR(upperredirect);

This probably deserves a:
Fixes: 0a2d0d3f2f291 ("ovl: Check redirect on index as well")

Looks fine otherwise.
Reviewed-by: David Disseldorp <[email protected]>

2022-08-22 15:43:17

by Miklos Szeredi

[permalink] [raw]
Subject: Re: [PATCH] ovl: Fix potential memory leak

On Mon, 22 Aug 2022 at 13:53, Stanislav Goriainov <[email protected]> wrote:
>
> ovl: Fix potential memory leak in ovl_lookup()
>
> If memory for uperredirect was allocated with kstrdup()
> in upperdir != NULL and d.redirect != NULL path,
> it may be lost when upperredirect is reassigned later.

Can't happen because the first assignment of upperredirect will only
happen if upperdentry is non-NULL, while second one will only happen
if upperdentry is NULL. I understand why static checker fails to see
this: it doesn't know that dentry->d_name will never contain '/'. In
this case the looped call to ovl_lookup_single() can be ignored and it
is trivial to prove that d.redirect can only be set if *ret is
non-NULL.

Thanks,
Miklos