2020-12-09 23:09:44

by Qinglang Miao

[permalink] [raw]
Subject: [PATCH] cgroup: Fix memory leak when parsing multiple source parameters

A memory leak is found in cgroup1_parse_param() when multiple source
parameters overwrite fc->source in the fs_context struct without free.

unreferenced object 0xffff888100d930e0 (size 16):
comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
hex dump (first 16 bytes):
74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
backtrace:
[<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
[<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
[<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
[<000000000f750198>] path_mount+0xee1/0x1820
[<0000000004756de2>] do_mount+0xea/0x100
[<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0

Fix this bug by permitting a single source parameter and rejecting with
an error all subsequent ones.

Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Qinglang Miao <[email protected]>
---
kernel/cgroup/cgroup-v1.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 191c329e4..1fd7d3d18 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -908,6 +908,9 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
if (opt == -ENOPARAM) {
if (strcmp(param->key, "source") == 0) {
+ if (fc->source)
+ return invalf(fc, "Multiple sources not
+ supported");
fc->source = param->string;
param->string = NULL;
return 0;
--
2.23.0


2020-12-10 01:29:22

by Qinglang Miao

[permalink] [raw]
Subject: [PATCH v2] cgroup: Fix memory leak when parsing multiple source parameters

A memory leak is found in cgroup1_parse_param() when multiple source
parameters overwrite fc->source in the fs_context struct without free.

unreferenced object 0xffff888100d930e0 (size 16):
comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
hex dump (first 16 bytes):
74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
backtrace:
[<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
[<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
[<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
[<000000000f750198>] path_mount+0xee1/0x1820
[<0000000004756de2>] do_mount+0xea/0x100
[<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0

Fix this bug by permitting a single source parameter and rejecting with
an error all subsequent ones.

Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Qinglang Miao <[email protected]>
---
v1->v2: fix compile problems caused by superfluous LF in err message.
kernel/cgroup/cgroup-v1.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 191c329e4..32596fdbc 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -908,6 +908,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
if (opt == -ENOPARAM) {
if (strcmp(param->key, "source") == 0) {
+ if (fc->source)
+ return invalf(fc, "Multiple sources not supported");
fc->source = param->string;
param->string = NULL;
return 0;
--
2.23.0

2020-12-10 01:42:00

by kernel test robot

[permalink] [raw]
Subject: Re: [PATCH] cgroup: Fix memory leak when parsing multiple source parameters

Hi Qinglang,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on cgroup/for-next]
[also build test WARNING on v5.10-rc7 next-20201208]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url: https://github.com/0day-ci/linux/commits/Qinglang-Miao/cgroup-Fix-memory-leak-when-parsing-multiple-source-parameters/20201209-201041
base: https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-next
config: x86_64-randconfig-s031-20201209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.3-179-ga00755aa-dirty
# https://github.com/0day-ci/linux/commit/f80ce6cc8c1bde7ecab3fed9f9a514091cec6f56
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Qinglang-Miao/cgroup-Fix-memory-leak-when-parsing-multiple-source-parameters/20201209-201041
git checkout f80ce6cc8c1bde7ecab3fed9f9a514091cec6f56
# save the attached .config to linux build tree
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=x86_64

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>

All warnings (new ones prefixed by >>):

kernel/cgroup/cgroup-v1.c: In function 'cgroup1_parse_param':
>> kernel/cgroup/cgroup-v1.c:912:23: warning: missing terminating " character
912 | return invalf(fc, "Multiple sources not
| ^
kernel/cgroup/cgroup-v1.c:913:18: warning: missing terminating " character
913 | supported");
| ^
kernel/cgroup/cgroup-v1.c:1276: error: unterminated argument list invoking macro "invalf"
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
kernel/cgroup/cgroup-v1.c:912:12: error: 'invalf' undeclared (first use in this function)
912 | return invalf(fc, "Multiple sources not
| ^~~~~~
kernel/cgroup/cgroup-v1.c:912:12: note: each undeclared identifier is reported only once for each function it appears in
kernel/cgroup/cgroup-v1.c:912:18: error: expected ';' at end of input
912 | return invalf(fc, "Multiple sources not
| ^
| ;
......
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
kernel/cgroup/cgroup-v1.c:1276: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
kernel/cgroup/cgroup-v1.c:912:5: error: expected declaration or statement at end of input
912 | return invalf(fc, "Multiple sources not
| ^~~~~~
kernel/cgroup/cgroup-v1.c:912:5: error: expected declaration or statement at end of input
kernel/cgroup/cgroup-v1.c:912:5: error: expected declaration or statement at end of input
kernel/cgroup/cgroup-v1.c:906:11: warning: unused variable 'i' [-Wunused-variable]
906 | int opt, i;
| ^
kernel/cgroup/cgroup-v1.c:904:24: warning: unused variable 'ss' [-Wunused-variable]
904 | struct cgroup_subsys *ss;
| ^~
kernel/cgroup/cgroup-v1.c:903:28: warning: unused variable 'ctx' [-Wunused-variable]
903 | struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
| ^~~
kernel/cgroup/cgroup-v1.c:1276: error: control reaches end of non-void function [-Werror=return-type]
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
At top level:
kernel/cgroup/cgroup-v1.c:849:12: warning: 'cgroup1_show_options' defined but not used [-Wunused-function]
849 | static int cgroup1_show_options(struct seq_file *seq, struct kernfs_root *kf_root)
| ^~~~~~~~~~~~~~~~~~~~
kernel/cgroup/cgroup-v1.c:817:12: warning: 'cgroup1_rename' defined but not used [-Wunused-function]
817 | static int cgroup1_rename(struct kernfs_node *kn, struct kernfs_node *new_parent,
| ^~~~~~~~~~~~~~
kernel/cgroup/cgroup-v1.c:33:13: warning: 'cgroup_no_v1_named' defined but not used [-Wunused-variable]
33 | static bool cgroup_no_v1_named;
| ^~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors

vim +912 kernel/cgroup/cgroup-v1.c

900
901 int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
902 {
903 struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
904 struct cgroup_subsys *ss;
905 struct fs_parse_result result;
906 int opt, i;
907
908 opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
909 if (opt == -ENOPARAM) {
910 if (strcmp(param->key, "source") == 0) {
911 if (fc->source)
> 912 return invalf(fc, "Multiple sources not
913 supported");
914 fc->source = param->string;
915 param->string = NULL;
916 return 0;
917 }
918 for_each_subsys(ss, i) {
919 if (strcmp(param->key, ss->legacy_name))
920 continue;
921 ctx->subsys_mask |= (1 << i);
922 return 0;
923 }
924 return invalfc(fc, "Unknown subsys name '%s'", param->key);
925 }
926 if (opt < 0)
927 return opt;
928
929 switch (opt) {
930 case Opt_none:
931 /* Explicitly have no subsystems */
932 ctx->none = true;
933 break;
934 case Opt_all:
935 ctx->all_ss = true;
936 break;
937 case Opt_noprefix:
938 ctx->flags |= CGRP_ROOT_NOPREFIX;
939 break;
940 case Opt_clone_children:
941 ctx->cpuset_clone_children = true;
942 break;
943 case Opt_cpuset_v2_mode:
944 ctx->flags |= CGRP_ROOT_CPUSET_V2_MODE;
945 break;
946 case Opt_xattr:
947 ctx->flags |= CGRP_ROOT_XATTR;
948 break;
949 case Opt_release_agent:
950 /* Specifying two release agents is forbidden */
951 if (ctx->release_agent)
952 return invalfc(fc, "release_agent respecified");
953 ctx->release_agent = param->string;
954 param->string = NULL;
955 break;
956 case Opt_name:
957 /* blocked by boot param? */
958 if (cgroup_no_v1_named)
959 return -ENOENT;
960 /* Can't specify an empty name */
961 if (!param->size)
962 return invalfc(fc, "Empty name");
963 if (param->size > MAX_CGROUP_ROOT_NAMELEN - 1)
964 return invalfc(fc, "Name too long");
965 /* Must match [\w.-]+ */
966 for (i = 0; i < param->size; i++) {
967 char c = param->string[i];
968 if (isalnum(c))
969 continue;
970 if ((c == '.') || (c == '-') || (c == '_'))
971 continue;
972 return invalfc(fc, "Invalid name");
973 }
974 /* Specifying two names is forbidden */
975 if (ctx->name)
976 return invalfc(fc, "name respecified");
977 ctx->name = param->string;
978 param->string = NULL;
979 break;
980 }
981 return 0;
982 }
983

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]


Attachments:
(No filename) (7.30 kB)
.config.gz (35.78 kB)
Download all attachments

2020-12-15 08:44:46

by Zefan Li

[permalink] [raw]
Subject: Re: [PATCH] cgroup: Fix memory leak when parsing multiple source parameters

On 2020/12/9 20:13, Qinglang Miao wrote:
> A memory leak is found in cgroup1_parse_param() when multiple source
> parameters overwrite fc->source in the fs_context struct without free.
>
> unreferenced object 0xffff888100d930e0 (size 16):
> comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
> hex dump (first 16 bytes):
> 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
> backtrace:
> [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
> [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
> [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
> [<000000000f750198>] path_mount+0xee1/0x1820
> [<0000000004756de2>] do_mount+0xea/0x100
> [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
>
> Fix this bug by permitting a single source parameter and rejecting with
> an error all subsequent ones.
>
> Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
> Reported-by: Hulk Robot <[email protected]>
> Signed-off-by: Qinglang Miao <[email protected]>
> ---
> kernel/cgroup/cgroup-v1.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
> index 191c329e4..1fd7d3d18 100644
> --- a/kernel/cgroup/cgroup-v1.c
> +++ b/kernel/cgroup/cgroup-v1.c
> @@ -908,6 +908,9 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
> opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
> if (opt == -ENOPARAM) {
> if (strcmp(param->key, "source") == 0) {
> + if (fc->source)
> + return invalf(fc, "Multiple sources not
> + supported");

"never break user-visible strings such as printk messages because
that breaks the ability to grep for them.", quoted from CodingStyle.

Please fix this and you can add

Reviewed-by: Zefan Li <[email protected]>

2020-12-15 08:54:01

by Zefan Li

[permalink] [raw]
Subject: Re: [PATCH v2] cgroup: Fix memory leak when parsing multiple source parameters

(didn't notice you've sent v2 with the printk msg fixed)

On 2020/12/10 9:29, Qinglang Miao wrote:
> A memory leak is found in cgroup1_parse_param() when multiple source
> parameters overwrite fc->source in the fs_context struct without free.
>
> unreferenced object 0xffff888100d930e0 (size 16):
> comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
> hex dump (first 16 bytes):
> 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
> backtrace:
> [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
> [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
> [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
> [<000000000f750198>] path_mount+0xee1/0x1820
> [<0000000004756de2>] do_mount+0xea/0x100
> [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
>
> Fix this bug by permitting a single source parameter and rejecting with
> an error all subsequent ones.
>
> Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
> Reported-by: Hulk Robot <[email protected]>
> Signed-off-by: Qinglang Miao <[email protected]>
> ---
> v1->v2: fix compile problems caused by superfluous LF in err message.
> kernel/cgroup/cgroup-v1.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
> index 191c329e4..32596fdbc 100644
> --- a/kernel/cgroup/cgroup-v1.c
> +++ b/kernel/cgroup/cgroup-v1.c
> @@ -908,6 +908,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
> opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
> if (opt == -ENOPARAM) {
> if (strcmp(param->key, "source") == 0) {
> + if (fc->source)
> + return invalf(fc, "Multiple sources not supported");

Reviewed-by: Zefan Li <[email protected]>