Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4036197pxk; Tue, 22 Sep 2020 08:48:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxUzY9bhhm5mYhHFM7HuVNhwDI9wjdAVbBI5U/tqNahjF268N0QxahcwvmVFJQSdOktm8P9 X-Received: by 2002:a05:6402:1254:: with SMTP id l20mr4577621edw.312.1600789732116; Tue, 22 Sep 2020 08:48:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600789732; cv=none; d=google.com; s=arc-20160816; b=onPcAxUE2DwW7Ez4WWreXixNOf2za7v1lm5qdHZkCbVq+uZKnBzCtCG4ktRm7QGpdr kZH1Hxv1mfpcuXykMc9uWj5I+AuJ3KYCgtl6lMZeQkDd+2CuF4IA8v+ht0RfsltyndhA hz0zFxzj6uUiTzAtnIf+JAKGvfzWOADDKcL7vky8+2MlIMSN5yMbB2AhDRXbEYDjLUND ZeTSaDCIfMAahL2W4a5Ybw///afN2DglbXnORpQ6kTS/SFP5a0p7Jxz9x2GpUu3uHKao j8jTh5p60fxVFfOA6YXyvaQQx8kEDJ/USmnsKLaKbsnS/9Em7wm8xnCJIpCFf5WvnMvr wfOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=9AQrDvOJ4B882Sq7uQ4Kp3Mhc6ZZV9HLHcMLFE6TOhI=; b=r6ZxBdxHR0up7BawMd+jhINpxEL9oJZ2vsu6Iv3brouD7Gohmk4XovAz9R5S7QbCF1 XwaAWkwb1wZf2zdqYSo3+pGXRtHfKT1v5QfsmTUo47B5W0GZWXN0OTHfXnMV/rCNjSAf nsBN7GjQ1Af88KsDmuWB22yqnXvKZozd9832gBNvjLpfVQs7WqNIeqptCOiQk5yejE0G 7fdrBEP6RIChMYgF7jfxWeDsFPU/GWLGc/cJ0y93gqL21nYed11mNpN22wgOWEwP9NPo XJ64vdrLDFep6qQwzSy/VFuLdDWsk8aC59fQH7UEgOsVOwBemQv4J71hTm/Q3ohWQuKm FeQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Jhw9NoPh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b7si10727613edz.159.2020.09.22.08.48.28; Tue, 22 Sep 2020 08:48:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Jhw9NoPh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726654AbgIVPqI (ORCPT + 99 others); Tue, 22 Sep 2020 11:46:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726566AbgIVPqI (ORCPT ); Tue, 22 Sep 2020 11:46:08 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB58FC061755 for ; Tue, 22 Sep 2020 08:46:07 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id b124so12797323pfg.13 for ; Tue, 22 Sep 2020 08:46:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=9AQrDvOJ4B882Sq7uQ4Kp3Mhc6ZZV9HLHcMLFE6TOhI=; b=Jhw9NoPhISjFnb2iyTpxw6h+RYVNiIfyIRhkX8YbMIZ9JUlIwbdADjHuei8PTMc8/4 o7qJ2esrUt0uK60odGA6j87/5evujlQU3jLhrLXuT3LMK8CV6VbFHzMYr3K3PEq5LNkU vQhDg4EXVsK9vbUG4dZfwGp/Yn3qZjjaENRAHyXuKY/cDDLfXbMoYLPpA0G8jXoUEF8N l3kuOQ/RmOAWo59vgRpHHhwDUWAWCeuxesm3e/f09wCj6rBfeG0MHJmLhwxdy+7AO48R e8PUWOJEmTjqHOFJGWB5+7qCKHJE77bDIhNPWKChZbspvdayn6C03yz07pA7CjoGqaHQ SOWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9AQrDvOJ4B882Sq7uQ4Kp3Mhc6ZZV9HLHcMLFE6TOhI=; b=ctxz/42yD8QrbA++hDb6ENNHxb6Om44/P0KhdRaweJaqyw4xQ7qP/4ZZq1YvIQq7S5 YdnhImq55R0c7i1b0Pc8pvFllrJbXIxqw0OaBWkdETFXi+chvZwCd8hIwx/x1t6WehTS FY66NNUJVvrCKXgITWpAy8l5PElxi6ujFDCEeLDvOmnUD+L4LvCqkk+0A/EV2Ozit9IC 1lRI1PYJe0iJOwdjr3KltOfb5DHBjMxC3GEMFSp/7Q8sJOpo47U0BM5+ohTGB7F24qzq fkyb/3VOBAtYG5DUFHOohh9u1GdFQyACg/Ohd1AAJKhdtDGAfhb92jznmpMvqWFM3yfl dSAw== X-Gm-Message-State: AOAM531xTKIphF1QPNFkXR7W/J8wiMjFkhnpHCsspK/sFLVVUg8vpJyK 24qjtNFSBJGXUFcB6Lm4Cw== X-Received: by 2002:a63:2ca:: with SMTP id 193mr3929260pgc.336.1600789567483; Tue, 22 Sep 2020 08:46:07 -0700 (PDT) Received: from localhost.localdomain (n11212042027.netvigator.com. [112.120.42.27]) by smtp.gmail.com with ESMTPSA id f10sm15731901pfk.195.2020.09.22.08.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Sep 2020 08:46:06 -0700 (PDT) From: Peilin Ye To: Jan Kara Cc: Peilin Ye , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Subject: [Linux-kernel-mentees] [PATCH] udf: Fix memory leak in udf_process_sequence() Date: Tue, 22 Sep 2020 11:45:31 -0400 Message-Id: <20200922154531.153922-1-yepeilin.cs@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <0000000000004c1f4d05afcff2f4@google.com> References: <0000000000004c1f4d05afcff2f4@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org udf_process_sequence() is leaking memory. Free `data.part_descs_loc` before returning. Cc: stable@vger.kernel.org Fixes: 7b78fd02fb19 ("udf: Fix handling of Partition Descriptors") Reported-and-tested-by: syzbot+128f4dd6e796c98b3760@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=c5ec4e6f5d818f3c4afd4d59342468eec08a38da Signed-off-by: Peilin Ye --- fs/udf/super.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/fs/udf/super.c b/fs/udf/super.c index 1c42f544096d..b0d862ab3024 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -1698,7 +1698,8 @@ static noinline int udf_process_sequence( "Pointers (max %u supported)\n", UDF_MAX_TD_NESTING); brelse(bh); - return -EIO; + ret = -EIO; + goto out; } vdp = (struct volDescPtr *)bh->b_data; @@ -1718,7 +1719,8 @@ static noinline int udf_process_sequence( curr = get_volume_descriptor_record(ident, bh, &data); if (IS_ERR(curr)) { brelse(bh); - return PTR_ERR(curr); + ret = PTR_ERR(curr); + goto out; } /* Descriptor we don't care about? */ if (!curr) @@ -1740,28 +1742,32 @@ static noinline int udf_process_sequence( */ if (!data.vds[VDS_POS_PRIMARY_VOL_DESC].block) { udf_err(sb, "Primary Volume Descriptor not found!\n"); - return -EAGAIN; + ret = -EAGAIN; + goto out; } ret = udf_load_pvoldesc(sb, data.vds[VDS_POS_PRIMARY_VOL_DESC].block); if (ret < 0) - return ret; + goto out; if (data.vds[VDS_POS_LOGICAL_VOL_DESC].block) { ret = udf_load_logicalvol(sb, data.vds[VDS_POS_LOGICAL_VOL_DESC].block, fileset); if (ret < 0) - return ret; + goto out; } /* Now handle prevailing Partition Descriptors */ for (i = 0; i < data.num_part_descs; i++) { ret = udf_load_partdesc(sb, data.part_descs_loc[i].rec.block); if (ret < 0) - return ret; + goto out; } - return 0; + ret = 0; +out: + kfree(data.part_descs_loc); + return ret; } /* -- 2.25.1