Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3840640ybv; Tue, 25 Feb 2020 08:14:11 -0800 (PST) X-Google-Smtp-Source: APXvYqwQPBWlA3MS6LF3PBqscBuoyuKNEIhoXJyDGcNd9RvmfhTn6ZFm3+/541++VRcWnVPuosYU X-Received: by 2002:a05:6808:a8e:: with SMTP id q14mr4025377oij.173.1582647251726; Tue, 25 Feb 2020 08:14:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582647251; cv=none; d=google.com; s=arc-20160816; b=afiIV4YRa7fBCxcZGHFullr9G5Cd0bL0/QBCBOECKnPeQ0Qrm7oL/U8lOBw2HfqZzQ DoAm8E1yYXYOdsK4XXFqSCG0hK7310cVC2sScIMemOuJs7dlDM0YqeMTRI+UCEm7X1/J HPJ40G5V4kbAmIl1kZ7biwyyBaGS6mZ/LCfYxPfRxPpga3Viel3XeMrJUwiHR5k2Rp32 rE6i/acHrHeFZCWR0En14UzXYb07h4+JHFbLnKORrKq1Y/MAzyqecUJtIxLzKLiyXEDV hkrFcqrr32D7HPX3ni6ZWAVu79ROp+LNbyPHo5ZdLNs5R1PoGv6e8hMlNcCPWcrMyGkN yTtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=xEdDe2YU6HIeVPbCkZYGRxJ42NwXkF9k9DLr8ppHRtg=; b=Oz2W9zW+NP0ICKmxJnu2BaA8ersnyP0xwqTgW84h87sWa6dWDuYsOYyknCHqGr4TCn nBk7oWzxPZkUQKeoOnqdNbhyMKYUscoDDMS6tRw+FijchMejhFyTtDMd9vSHL4LYqQhO Zag9vd66s8UhhQt7iA/ApwolkzW04qUzjnMyPsbKV5VsHscBsvBaH8C6RITvckEnND1f LKhSMKUijNri9DC7WhR8X+4XBqKb0MVZKA1Ulbu68kcquLWRzsoIDpTQzM6cGTUpAX7U CzlbjSdRYA+SF3lKuuM5VCh8HxyBtOO0L2bFnAbFV+7uEQA7iM8JddSDlm/UrjRh2W0H pyuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O2sGtDN0; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w77si7358881oif.216.2020.02.25.08.13.34; Tue, 25 Feb 2020 08:14:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=O2sGtDN0; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730109AbgBYQFa (ORCPT + 99 others); Tue, 25 Feb 2020 11:05:30 -0500 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:33068 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729817AbgBYQF3 (ORCPT ); Tue, 25 Feb 2020 11:05:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1582646728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=xEdDe2YU6HIeVPbCkZYGRxJ42NwXkF9k9DLr8ppHRtg=; b=O2sGtDN038hl55XOjnTWQJdbs2QnLu/wRt7iggqTTBz81HYyyIM6kZeSrOx4HOhbOQm4EL 81vupDYjx1K8s6YTwCvt25I0g0jFFfdL0ZPmEWM0N0e0WyHI1ukuTe8mQ1ALIzWt2R9Rba sC/WnHzyQmm/tVaDfnd0Dp8lK3mdl08= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-206-8ROBD5zjNdyqaw0Oeudz9g-1; Tue, 25 Feb 2020 11:05:24 -0500 X-MC-Unique: 8ROBD5zjNdyqaw0Oeudz9g-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 448FD800D54; Tue, 25 Feb 2020 16:05:23 +0000 (UTC) Received: from aion.usersys.redhat.com (ovpn-123-59.rdu2.redhat.com [10.10.123.59]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EB1918AC30; Tue, 25 Feb 2020 16:05:22 +0000 (UTC) Received: by aion.usersys.redhat.com (Postfix, from userid 1000) id 53A871A2C29; Tue, 25 Feb 2020 11:05:22 -0500 (EST) From: Scott Mayhew To: trond.myklebust@hammerspace.com, anna.schumaker@netapp.com Cc: syzbot , syzkaller-bugs@googlegroups.com, linux-nfs@vger.kernel.org Subject: [PATCH] NFS: Fix leak of ctx->nfs_server.hostname Date: Tue, 25 Feb 2020 11:05:22 -0500 Message-Id: <20200225160522.225406-1-smayhew@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Content-Transfer-Encoding: quoted-printable Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org If userspace passes an nfs_mount_data struct in the data argument of mount(2), then nfs23_parse_monolithic() or nfs4_parse_monolithic() will allocate memory for ctx->nfs_server.hostname. This needs to be freed in nfs_parse_source(), which also allocates memory for ctx->nfs_server.hostname, otherwise a leak will occur. Reported-by: syzbot+193c375dcddb4f345091@syzkaller.appspotmail.com Fixes: f2aedb713c28 ("NFS: Add fs_context support.") Signed-off-by: Scott Mayhew --- fs/nfs/fs_context.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c index b616263b0eb6..e113fcb4bb4c 100644 --- a/fs/nfs/fs_context.c +++ b/fs/nfs/fs_context.c @@ -832,6 +832,8 @@ static int nfs_parse_source(struct fs_context *fc, if (len > maxnamlen) goto out_hostname; =20 + kfree(ctx->nfs_server.hostname); + /* N.B. caller will free nfs_server.hostname in all cases */ ctx->nfs_server.hostname =3D kmemdup_nul(dev_name, len, GFP_KERNEL); if (!ctx->nfs_server.hostname) --=20 2.24.1