Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3747916pxj; Mon, 7 Jun 2021 20:02:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcUL63jFMYz1b02KpexWzS6ZnrfbPt+ebOSkkKyPyKYB7EEyFVwPDY22OSTUi2JdK5Ykky X-Received: by 2002:a17:907:92e:: with SMTP id au14mr20591457ejc.194.1623121330975; Mon, 07 Jun 2021 20:02:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623121330; cv=none; d=google.com; s=arc-20160816; b=ProaWd9kd2a0uqtd7obzzwlHrcazlfbH+QJhl+b7tRBqsUSMgvl322c/s5H+0LSyxR GNsf+7E+9+OrI4u8pJYTYHnIOBay2wTXIbzZY92X/XlCidfCHG2lKMk5dv1ewv9C48Ui KY3bLluColAEteGwVjvORZjT/oZ+9oaF8GeHBZtBJETzHWAFVe4YcQa2KX35nErTxHpk rmon8C7LfnlgFis9xmY0khn6GH0gjwjFEGO90777sO62YAJG6kqCEeF2k9+8AuI6die/ 08+5zclq3JAkWv27mrHk2cd1DdSWnvQI1pt7+ajWwL+ldb+78/e6tnRtya/j3rMn4zZ3 RYmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=EuJsYuOqrG8SwCz3ljrkwXN4K75nXvxXvYn9NFBNIIk=; b=YVEGPJDm+EpOj/zKW5InfcUOliWAJqUAxHJA/Is/QOjjzxr//E2ouaOXHM4lFNRrkM GT0y13okpm14NsGoliIuHdttbND/LmfCpnR7w2ODG4+r3oVqFR58dBy2cyxAtDDIvXYw b++Z4ti+KEQAsNB1KDDq/Z7LeB5iiYJnIfoWTYEftzjWpHB0Xbzi8GcPRlCwtGG3RNgD nwcCCIfDBkTBKP1B6lSkMt5+o2yd+RO3F8QYg6FHqkwsG36vmbyYiY9e6dDMjAnIMxdZ 0XSe2Qap99RAq6K8gHfsRh7gK6BvhSjelYFqTvTfQxjVIJ2BcmLuZYAt4Majd1LwBxpO f2oA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="b/Tb/Den"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si529911edc.56.2021.06.07.20.01.47; Mon, 07 Jun 2021 20:02:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="b/Tb/Den"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230351AbhFHDAB (ORCPT + 99 others); Mon, 7 Jun 2021 23:00:01 -0400 Received: from mail-ed1-f43.google.com ([209.85.208.43]:42912 "EHLO mail-ed1-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230233AbhFHDAB (ORCPT ); Mon, 7 Jun 2021 23:00:01 -0400 Received: by mail-ed1-f43.google.com with SMTP id i13so22792757edb.9 for ; Mon, 07 Jun 2021 19:58:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EuJsYuOqrG8SwCz3ljrkwXN4K75nXvxXvYn9NFBNIIk=; b=b/Tb/DenmCtu38YpFqyJ5pZcHaHq4/WyfqjMlIGoJNiMNfANIToEi7K3/qi09KX65a HRsvOsFx+++DN8XaG4MI5HPv4SMOBayo6cqyJGsiG6aGwNoWgOThbdrCnc1M/kiKTDuw +e8aOaNSZer3m2ERgU+iQHrkKM9Ih6pE7oq8p94nEBr5JM3cGp+CaEFXg0uwOaZKTMLi VWfNBoB4fieEEYeHmPRvLyGxPP0rDQCj53AfH2C1O8iLMWQYLKlUGZ/IFMgxHPVAYjNV Vz/YtPwa1I1AqE2X//PBAtJTAGCg5fSzP+dHq5E3HFtwmfeft43ZUpLKzAyaTKk9fqqT Q3RQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EuJsYuOqrG8SwCz3ljrkwXN4K75nXvxXvYn9NFBNIIk=; b=MHk2NB0OhN8iNBXO/P/GdfYx6FbiyGPuy7YhqlROre5Ta7AltXfx5l5zyw/s3APQEZ mZCU3RHubxuKToGC65q6bmNHByPvmCaM//0c2CPX+qMUa7GaJfKC3WpBItLE36R9Nd5B yFV+t6bZoSUl0LDOxlIxT5oucq/0C4cx5t4bDslgtTSukF97746vpGjxbzEkwG1xzuiU 8xj0iijcgCrP05dI0PIL3euGTeiil5CkBwXaKLzWyCe1PgcA7UWoIDXmJDlA17tK42Q7 egJjDony6nZNAlrkUtR3qmFRFo5MMU8iwAAmXWhageLIcOC/prLTN4Ig5wk83sQxpRYN nMOQ== X-Gm-Message-State: AOAM532SK8UrxVco4UAwN9uWmhBTFvgvT1EvSIg5w2QjJy0Rgni1F152 4YdlJkqLI1Y81rKlBCJgZBvnUiyGx//dSzSyfHA7 X-Received: by 2002:a05:6402:1771:: with SMTP id da17mr19127260edb.31.1623121028094; Mon, 07 Jun 2021 19:57:08 -0700 (PDT) MIME-Version: 1.0 References: <20210608015158.3848878-1-sunnanyong@huawei.com> In-Reply-To: From: Paul Moore Date: Mon, 7 Jun 2021 22:56:57 -0400 Message-ID: Subject: Re: [PATCH] net: ipv4: fix memory leak in netlbl_cipsov4_add_std To: Dongliang Mu Cc: Nanyong Sun , davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org, Jakub Kicinski , netdev@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 7, 2021 at 10:31 PM Dongliang Mu wrote: > On Tue, Jun 8, 2021 at 9:57 AM Paul Moore wrote: > > On Mon, Jun 7, 2021 at 9:19 PM Nanyong Sun wrote: > > > > > > Reported by syzkaller: > > > BUG: memory leak > > > unreferenced object 0xffff888105df7000 (size 64): > > > comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s) > > > hex dump (first 32 bytes): > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > > backtrace: > > > [<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline] > > > [<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline] > > > [<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline] > > > [<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416 > > > [<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739 > > > [<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] > > > [<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800 > > > [<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 > > > [<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 > > > [<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] > > > [<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 > > > [<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929 > > > [<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline] > > > [<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674 > > > [<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 > > > [<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 > > > [<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433 > > > [<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47 > > > [<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > > > The memory of doi_def->map.std pointing is allocated in > > > netlbl_cipsov4_add_std, but no place has freed it. It should be > > > freed in cipso_v4_doi_free which frees the cipso DOI resource. > > > > > > Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration") > > > Reported-by: Hulk Robot > > > Signed-off-by: Nanyong Sun > > > --- > > > net/ipv4/cipso_ipv4.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > Nice catch, thanks for fixing this. > > > > Acked-by: Paul Moore > > > > > diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c > > > index d6e3a92841e3..099259fc826a 100644 > > > --- a/net/ipv4/cipso_ipv4.c > > > +++ b/net/ipv4/cipso_ipv4.c > > > @@ -471,6 +471,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) > > > kfree(doi_def->map.std->lvl.local); > > > kfree(doi_def->map.std->cat.cipso); > > > kfree(doi_def->map.std->cat.local); > > > + kfree(doi_def->map.std); > > > break; > > > } > > > kfree(doi_def); > > Hi kernel developers, > > I doubt this patch may cause invalid free in other functions where > map.std is not allocated or initialized, such as > netlbl_cipsov4_add_local, netlbl_cipsov4_add_pass. It isn't perfectly clear to me if you are implying there is a problem with the proposed patch or not, so I thought it might help to try and add some clarity. The patch above frees the cipso_v4_doi->map.std field, which is only valid when the cipso_v4_doi->type field is equal to CIPSO_V4_MAP_TRANS. This is why the cipso_v4_doi_free() function checks the type field before freeing the cipso_v4_doi->map related fields, and why the proposed patch places the new kfree() inside that conditional code block. If we look at netlalbel_cipsov4_add_pass() we see that the first thing it does after allocating a cipso_v4_doi struct is to set the type field to CIPSO_V4_MAP_PASS. Any calls to cipso_v4_doi_free after this point will not end up calling the proposed kfree() addition due to the cipso_v4_doi->type check. We see something very similar with netlbl_cipsov4_add_local(), although in this case the type field is set to CIPSO_V4_MAP_LOCAL. This type value will also not trigger the proposed kfree(). If you are aware of any other potential issues with this patch please do let us know, but from what I can see, the two concerns you presented here are not problems with the current or proposed code. -- paul moore www.paul-moore.com