syzkaller report this:
BUG: memory leak
unreferenced object 0xffffc9000488d000 (size 9195520):
comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
hex dump (first 32 bytes):
ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
backtrace:
[<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
[<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
[<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
[<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
[<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
[<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
[<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
[<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<00000000241f889b>] 0xffffffffffffffff
It should goto 'out_free' lable to free allocated buf while kernel_read
fails.
Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
Signed-off-by: YueHaibing <[email protected]>
---
fs/exec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exec.c b/fs/exec.c
index 7a4b5ef..2e00333 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
if (bytes < 0) {
ret = bytes;
- goto out;
+ goto out_free;
}
if (bytes == 0)
--
2.7.0
On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote:
> syzkaller report this:
> BUG: memory leak
> unreferenced object 0xffffc9000488d000 (size 9195520):
> comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
> hex dump (first 32 bytes):
> ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
> 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
> backtrace:
> [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
> [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
> [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
> [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
> [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
> [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
> [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
> [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [<00000000241f889b>] 0xffffffffffffffff
>
> It should goto 'out_free' lable to free allocated buf while kernel_read
> fails.
Applied.
From: Al Viro <[email protected]> on behalf of Al Viro <[email protected]>
Sent: Tuesday, February 19, 2019 4:25 AM
To: yuehaibing
Cc: [email protected]; [email protected]; Dmitry Kasatkin; [email protected]
Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
?
On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote:
> syzkaller report this:
> BUG: memory leak
> unreferenced object 0xffffc9000488d000 (size 9195520):
>?? comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
>?? hex dump (first 32 bytes):
>???? ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00? ................
>???? 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff? ..........z.....
>?? backtrace:
>???? [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
>???? [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
>???? [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
>???? [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
>???? [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
>???? [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
>???? [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
>???? [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>???? [<00000000241f889b>] 0xffffffffffffffff
>
> It should goto 'out_free' lable to free allocated buf while kernel_read
> fails.
Applied.
This must be applied to stables as well...
On Mon, Mar 11, 2019 at 04:59:14PM +0000, Dmitry Kasatkin wrote:
>
>From: Al Viro <[email protected]> on behalf of Al Viro <[email protected]>
>Sent: Tuesday, February 19, 2019 4:25 AM
>To: yuehaibing
>Cc: [email protected]; [email protected]; Dmitry Kasatkin; [email protected]
>Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
>?
>On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote:
>> syzkaller report this:
>> BUG: memory leak
>> unreferenced object 0xffffc9000488d000 (size 9195520):
>>?? comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
>>?? hex dump (first 32 bytes):
>>???? ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00? ................
>>???? 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff? ..........z.....
>>?? backtrace:
>>???? [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
>>???? [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
>>???? [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
>>???? [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
>>???? [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
>>???? [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
>>???? [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
>>???? [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>???? [<00000000241f889b>] 0xffffffffffffffff
>>
>> It should goto 'out_free' lable to free allocated buf while kernel_read
>> fails.
>
>Applied.
>
>
>This must be applied to stables as well...
It's already in all relevant stable trees...
--
Thanks,
Sasha
From: Sasha Levin <[email protected]>
Sent: Tuesday, March 12, 2019 1:16 AM
To: Dmitry Kasatkin
Cc: Al Viro; yuehaibing; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]
Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
?
On Mon, Mar 11, 2019 at 04:59:14PM +0000, Dmitry Kasatkin wrote:
>
>From: Al Viro <[email protected]> on behalf of Al Viro <[email protected]>
>Sent: Tuesday, February 19, 2019 4:25 AM
>To: yuehaibing
>Cc: [email protected]; [email protected]; Dmitry Kasatkin; [email protected]
>Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
>?
>On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote:
>> syzkaller report this:
>> BUG: memory leak
>> unreferenced object 0xffffc9000488d000 (size 9195520):
>>?? comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
>>?? hex dump (first 32 bytes):
>>???? ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00? ................
>>???? 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff? ..........z.....
>>?? backtrace:
>>???? [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
>>???? [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
>>???? [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
>>???? [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
>>???? [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
>>???? [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
>>???? [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
>>???? [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>???? [<00000000241f889b>] 0xffffffffffffffff
>>
>> It should goto 'out_free' lable to free allocated buf while kernel_read
>> fails.
>
>Applied.
>
>
>This must be applied to stables as well...
> It's already in all relevant stable trees...
I only can see in longterm 4.19.
What about 4.9 and 4.14?
Thanks,
Dmitry
On Wed, Mar 13, 2019 at 02:12:30PM +0000, Dmitry Kasatkin wrote:
>
>
>
>
>
>
> From: Sasha Levin <[email protected]>
> Sent: Tuesday, March 12, 2019 1:16 AM
> To: Dmitry Kasatkin
> Cc: Al Viro; yuehaibing; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]
> Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
> ?
> On Mon, Mar 11, 2019 at 04:59:14PM +0000, Dmitry Kasatkin wrote:
> >
> >From: Al Viro <[email protected]> on behalf of Al Viro <[email protected]>
> >Sent: Tuesday, February 19, 2019 4:25 AM
> >To: yuehaibing
> >Cc: [email protected]; [email protected]; Dmitry Kasatkin; [email protected]
> >Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
> >?
> >On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote:
> >> syzkaller report this:
> >> BUG: memory leak
> >> unreferenced object 0xffffc9000488d000 (size 9195520):
> >>?? comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
> >>?? hex dump (first 32 bytes):
> >>???? ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00? ................
> >>???? 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff? ..........z.....
> >>?? backtrace:
> >>???? [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
> >>???? [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
> >>???? [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
> >>???? [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
> >>???? [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
> >>???? [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
> >>???? [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
> >>???? [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >>???? [<00000000241f889b>] 0xffffffffffffffff
> >>
> >> It should goto 'out_free' lable to free allocated buf while kernel_read
> >> fails.
> >
> >Applied.
> >
> >
> >This must be applied to stables as well...
>
> > It's already in all relevant stable trees...
>
> I only can see in longterm 4.19.
>
> What about 4.9 and 4.14?
It was in the queue already for that (you can see it on git.kernel.org),
and they are now part of the -rc releases that are currently out for
review.
thanks,
greg k-h
On 13/03/2019 16:38, [email protected] wrote:
> On Wed, Mar 13, 2019 at 02:12:30PM +0000, Dmitry Kasatkin wrote:
>>
>>
>>
>>
>>
>>
>> From: Sasha Levin <[email protected]>
>> Sent: Tuesday, March 12, 2019 1:16 AM
>> To: Dmitry Kasatkin
>> Cc: Al Viro; yuehaibing; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]
>> Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
>>
>> On Mon, Mar 11, 2019 at 04:59:14PM +0000, Dmitry Kasatkin wrote:
>>>
>>> From: Al Viro <[email protected]> on behalf of Al Viro <[email protected]>
>>> Sent: Tuesday, February 19, 2019 4:25 AM
>>> To: yuehaibing
>>> Cc: [email protected]; [email protected]; Dmitry Kasatkin; [email protected]
>>> Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
>>>
>>> On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote:
>>>> syzkaller report this:
>>>> BUG: memory leak
>>>> unreferenced object 0xffffc9000488d000 (size 9195520):
>>>> comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
>>>> hex dump (first 32 bytes):
>>>> ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
>>>> 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
>>>> backtrace:
>>>> [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
>>>> [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
>>>> [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
>>>> [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
>>>> [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
>>>> [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
>>>> [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
>>>> [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>> [<00000000241f889b>] 0xffffffffffffffff
>>>>
>>>> It should goto 'out_free' lable to free allocated buf while kernel_read
>>>> fails.
>>>
>>> Applied.
>>>
>>>
>>> This must be applied to stables as well...
>>
>>> It's already in all relevant stable trees...
>>
>> I only can see in longterm 4.19.
>>
>> What about 4.9 and 4.14?
>
> It was in the queue already for that (you can see it on git.kernel.org),
> and they are now part of the -rc releases that are currently out for
> review.
>
> thanks,
>
> greg k-h
>
Thanks!
Dmitry