2020-06-03 02:17:25

by Namjae Jeon

[permalink] [raw]
Subject: [PATCH v2] exfat: fix memory leak in exfat_parse_param()

From: Al Viro <[email protected]>

butt3rflyh4ck reported memory leak found by syzkaller.

A param->string held by exfat_mount_options.

BUG: memory leak

unreferenced object 0xffff88801972e090 (size 8):
comm "syz-executor.2", pid 16298, jiffies 4295172466 (age 14.060s)
hex dump (first 8 bytes):
6b 6f 69 38 2d 75 00 00 koi8-u..
backtrace:
[<000000005bfe35d6>] kstrdup+0x36/0x70 mm/util.c:60
[<0000000018ed3277>] exfat_parse_param+0x160/0x5e0
fs/exfat/super.c:276
[<000000007680462b>] vfs_parse_fs_param+0x2b4/0x610
fs/fs_context.c:147
[<0000000097c027f2>] vfs_parse_fs_string+0xe6/0x150
fs/fs_context.c:191
[<00000000371bf78f>] generic_parse_monolithic+0x16f/0x1f0
fs/fs_context.c:231
[<000000005ce5eb1b>] do_new_mount fs/namespace.c:2812 [inline]
[<000000005ce5eb1b>] do_mount+0x12bb/0x1b30 fs/namespace.c:3141
[<00000000b642040c>] __do_sys_mount fs/namespace.c:3350 [inline]
[<00000000b642040c>] __se_sys_mount fs/namespace.c:3327 [inline]
[<00000000b642040c>] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3327
[<000000003b024e98>] do_syscall_64+0xf6/0x7d0
arch/x86/entry/common.c:295
[<00000000ce2b698c>] entry_SYSCALL_64_after_hwframe+0x49/0xb3

exfat_free() should call exfat_free_iocharset(), to prevent a leak
in case we fail after parsing iocharset= but before calling
get_tree_bdev().

Additionally, there's no point copying param->string in
exfat_parse_param() - just steal it, leaving NULL in param->string.
That's independent from the leak or fix thereof - it's simply
avoiding an extra copy.

Fixes: 719c1e182916 ("exfat: add super block operations")
Cc: [email protected] # v5.7
Reported-by: butt3rflyh4ck <[email protected]>
Signed-off-by: Al Viro <[email protected]>
---
v2:
- update patch description in more detail.

fs/exfat/super.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/fs/exfat/super.c b/fs/exfat/super.c
index 405717e4e3ea..e650e65536f8 100644
--- a/fs/exfat/super.c
+++ b/fs/exfat/super.c
@@ -273,9 +273,8 @@ static int exfat_parse_param(struct fs_context *fc, struct fs_parameter *param)
break;
case Opt_charset:
exfat_free_iocharset(sbi);
- opts->iocharset = kstrdup(param->string, GFP_KERNEL);
- if (!opts->iocharset)
- return -ENOMEM;
+ opts->iocharset = param->string;
+ param->string = NULL;
break;
case Opt_errors:
opts->errors = result.uint_32;
@@ -686,7 +685,12 @@ static int exfat_get_tree(struct fs_context *fc)

static void exfat_free(struct fs_context *fc)
{
- kfree(fc->s_fs_info);
+ struct exfat_sb_info *sbi = fc->s_fs_info;
+
+ if (sbi) {
+ exfat_free_iocharset(sbi);
+ kfree(sbi);
+ }
}

static const struct fs_context_operations exfat_context_ops = {
--
2.17.1


2020-06-03 06:34:47

by Markus Elfring

[permalink] [raw]
Subject: Re: [PATCH v2] exfat: fix memory leak in exfat_parse_param()

> Additionally, there's no point copying param->string in
> exfat_parse_param() - just steal it, leaving NULL in param->string.
> That's independent from the leak or fix thereof - it's simply
> avoiding an extra copy.

I find it clearer to provide such a source code adjustment
by a separate update step.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id=d6f9469a03d832dcd17041ed67774ffb5f3e73b3#n138

Please move it into another patch.



> +++ b/fs/exfat/super.c

> @@ -686,7 +685,12 @@ static int exfat_get_tree(struct fs_context *fc)
>
> static void exfat_free(struct fs_context *fc)
> {
> - kfree(fc->s_fs_info);
> + struct exfat_sb_info *sbi = fc->s_fs_info;
> +
> + if (sbi) {
> + exfat_free_iocharset(sbi);
> + kfree(sbi);
> + }
> }


Can it be helpful to annotate the added check according to branch prediction?
Are valid pointers likely at this place?

Regards,
Markus