The ctx->mech_used.data allocated by kmemdup is not freed in neither
gss_import_v2_context nor it only caller radeon_driver_open_kms.
Thus, this patch reform the last call of gss_import_v2_context to the
gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
formation.
Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
Signed-off-by: Zhipeng Lu <[email protected]>
---
net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index e31cfdf7eadc..1e54bd63e3f0 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
u64 seq_send64;
int keylen;
u32 time32;
+ int ret;
p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
if (IS_ERR(p))
@@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
}
ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
- return gss_krb5_import_ctx_v2(ctx, gfp_mask);
+ ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
+ if (ret) {
+ p = ERR_PTR(ret);
+ goto out_free;
+ };
+out_free:
+ kfree(ctx->mech_used.data);
out_err:
return PTR_ERR(p);
}
--
2.34.1
On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote:
> The ctx->mech_used.data allocated by kmemdup is not freed in neither
> gss_import_v2_context nor it only caller radeon_driver_open_kms.
> Thus, this patch reform the last call of gss_import_v2_context to the
> gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
> formation.
>
> Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
> Signed-off-by: Zhipeng Lu <[email protected]>
> ---
> net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> index e31cfdf7eadc..1e54bd63e3f0 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> u64 seq_send64;
> int keylen;
> u32 time32;
> + int ret;
>
> p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
> if (IS_ERR(p))
> @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> }
> ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
>
> - return gss_krb5_import_ctx_v2(ctx, gfp_mask);
> + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
> + if (ret) {
> + p = ERR_PTR(ret);
> + goto out_free;
> + };
>
> +out_free:
> + kfree(ctx->mech_used.data);
If the caller's error flow does not invoke
gss_krb5_delete_sec_context(), then I would expect more than just
mech_used.data would be leaked. What if, instead, you changed
gss_krb5_import_sec_context() like this (untested):
471 ret = gss_import_v2_context(p, end, ctx, gfp_mask);
472 memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
473 if (ret) {
- kfree(ctx);
+ gss_krb5_delete_sec_context(ctx);
475 return ret;
476 }
Obviously you would need to add a forward declaration of
gss_krb5_import_sec_context() to make this compile. The question
is whether gss_krb5_delete_sec_context() will deal with a partially-
initialized @ctx.
How did you find this leak, and what kind of testing was done to
confirm the fix is safe?
> out_err:
> return PTR_ERR(p);
> }
> --
> 2.34.1
>
--
Chuck Lever
On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote:
> The ctx->mech_used.data allocated by kmemdup is not freed in neither
> gss_import_v2_context nor it only caller radeon_driver_open_kms.
> Thus, this patch reform the last call of gss_import_v2_context to the
> gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
> formation.
>
> Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
> Signed-off-by: Zhipeng Lu <[email protected]>
> ---
> net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> index e31cfdf7eadc..1e54bd63e3f0 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> u64 seq_send64;
> int keylen;
> u32 time32;
> + int ret;
>
> p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
> if (IS_ERR(p))
> @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> }
> ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
>
> - return gss_krb5_import_ctx_v2(ctx, gfp_mask);
> + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
> + if (ret) {
> + p = ERR_PTR(ret);
> + goto out_free;
> + };
Hi Zhipeng Lu,
I think you need to handle the non-error case here:
return 0;
>
> +out_free:
> + kfree(ctx->mech_used.data);
> out_err:
> return PTR_ERR(p);
> }
> --
> 2.34.1
>
> On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote:
> > The ctx->mech_used.data allocated by kmemdup is not freed in neither
> > gss_import_v2_context nor it only caller radeon_driver_open_kms.
> > Thus, this patch reform the last call of gss_import_v2_context to the
> > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
> > formation.
> >
> > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
> > Signed-off-by: Zhipeng Lu <[email protected]>
> > ---
> > net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > index e31cfdf7eadc..1e54bd63e3f0 100644
> > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> > u64 seq_send64;
> > int keylen;
> > u32 time32;
> > + int ret;
> >
> > p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
> > if (IS_ERR(p))
> > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> > }
> > ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
> >
> > - return gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > + if (ret) {
> > + p = ERR_PTR(ret);
> > + goto out_free;
> > + };
> >
> > +out_free:
> > + kfree(ctx->mech_used.data);
>
> If the caller's error flow does not invoke
> gss_krb5_delete_sec_context(), then I would expect more than just
> mech_used.data would be leaked. What if, instead, you changed
> gss_krb5_import_sec_context() like this (untested):
>
> 471 ret = gss_import_v2_context(p, end, ctx, gfp_mask);
> 472 memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
> 473 if (ret) {
> - kfree(ctx);
> + gss_krb5_delete_sec_context(ctx);
> 475 return ret;
> 476 }
>
> Obviously you would need to add a forward declaration of
> gss_krb5_import_sec_context() to make this compile. The question
> is whether gss_krb5_delete_sec_context() will deal with a partially-
> initialized @ctx.
Since the ctx is allocated just in gss_krb5_import_sec_context,
together with that all of gss_krb5_import_sec_context, gss_import_v2_context(with this patch)
and gss_krb5_import_ctx_v2 are allocation-free balanced. It seems that we don't need to
release anything else by invoking gss_krb5_delete_sec_context.
If I miss something leaked, please let me know.
>
> How did you find this leak, and what kind of testing was done to
> confirm the fix is safe?
I found this memleak by static analysis.
The safety issue can't be solved by automatic tools as far as I know.
So I check patches manuelly before sending patches.
> > out_err:
> > return PTR_ERR(p);
> > }
> > --
> > 2.34.1
> >
>
> --
> Chuck Lever
On Tue, Dec 26, 2023 at 05:01:05PM +0800, [email protected] wrote:
> > On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote:
> > > The ctx->mech_used.data allocated by kmemdup is not freed in neither
> > > gss_import_v2_context nor it only caller radeon_driver_open_kms.
> > > Thus, this patch reform the last call of gss_import_v2_context to the
> > > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
> > > formation.
> > >
> > > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
> > > Signed-off-by: Zhipeng Lu <[email protected]>
> > > ---
> > > net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
> > > 1 file changed, 8 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > > index e31cfdf7eadc..1e54bd63e3f0 100644
> > > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> > > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> > > u64 seq_send64;
> > > int keylen;
> > > u32 time32;
> > > + int ret;
> > >
> > > p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
> > > if (IS_ERR(p))
> > > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> > > }
> > > ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
> > >
> > > - return gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > > + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > > + if (ret) {
> > > + p = ERR_PTR(ret);
> > > + goto out_free;
> > > + };
> > >
> > > +out_free:
> > > + kfree(ctx->mech_used.data);
> >
> > If the caller's error flow does not invoke
> > gss_krb5_delete_sec_context(), then I would expect more than just
> > mech_used.data would be leaked. What if, instead, you changed
> > gss_krb5_import_sec_context() like this (untested):
> >
> > 471 ret = gss_import_v2_context(p, end, ctx, gfp_mask);
> > 472 memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
> > 473 if (ret) {
> > - kfree(ctx);
> > + gss_krb5_delete_sec_context(ctx);
> > 475 return ret;
> > 476 }
> >
> > Obviously you would need to add a forward declaration of
> > gss_krb5_import_sec_context() to make this compile. The question
> > is whether gss_krb5_delete_sec_context() will deal with a partially-
> > initialized @ctx.
>
> Since the ctx is allocated just in gss_krb5_import_sec_context,
> together with that all of gss_krb5_import_sec_context, gss_import_v2_context(with this patch)
> and gss_krb5_import_ctx_v2 are allocation-free balanced. It seems that we don't need to
> release anything else by invoking gss_krb5_delete_sec_context.
>
> If I miss something leaked, please let me know.
I see, if gss_krb5_import_ctx_v2() fails, it releases the ciphers
and hashes via out_free. So no leak there.
A nicer approach would be to handle that clean up in
gss_krb5_import_sec_context(): less code duplication.
But you're right, it's not broken today.
> > How did you find this leak, and what kind of testing was done to
> > confirm the fix is safe?
>
> I found this memleak by static analysis.
> The safety issue can't be solved by automatic tools as far as I know.
> So I check patches manuelly before sending patches.
Can you give some details about how you check the patches?
--
Chuck Lever