[PATCH] CRED: Fix double free in prepare_usermodehelper

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] CRED: Fix double free in prepare_usermodehelper_creds() error handling
@ 2010-04-20 21:41 David Howells
  2010-04-21 13:47 ` Mathieu Desnoyers
  2010-04-22 18:23 ` Andrew Morton
  0 siblings, 2 replies; 4+ messages in thread
From: David Howells @ 2010-04-20 21:41 UTC (permalink / raw)
  To: linux-security-module; +Cc: dhowells, mathieu.desnoyers, linux-kernel

Patch 570b8fb505896e007fd3bb07573ba6640e51851d:

	Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
	Date:   Tue Mar 30 00:04:00 2010 +0100
	Subject: CRED: Fix memory leak in error handling

attempts to fix a memory leak in the error handling by making the offending
return statement into a jump down to the bottom of the function where a
kfree(tgcred) is inserted.

This is, however, incorrect, as it does a kfree() after doing put_cred() if
security_prepare_creds() fails.  That will result in a double free if 'error'
is jumped to as put_cred() will also attempt to free the new tgcred record by
virtue of it being pointed to by the new cred record.

Signed-off-by: David Howells <dhowells@redhat.com>
---

 kernel/cred.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/kernel/cred.c b/kernel/cred.c
index e1dbe9e..ce1a52b 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)

 error:
 	put_cred(new);
+	return NULL;
+
 free_tgcred:
 #ifdef CONFIG_KEYS
 	kfree(tgcred);

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] CRED: Fix double free in prepare_usermodehelper_creds() error handling
  2010-04-20 21:41 [PATCH] CRED: Fix double free in prepare_usermodehelper_creds() error handling David Howells
@ 2010-04-21 13:47 ` Mathieu Desnoyers
  2010-04-22 18:23 ` Andrew Morton
  1 sibling, 0 replies; 4+ messages in thread
From: Mathieu Desnoyers @ 2010-04-21 13:47 UTC (permalink / raw)
  To: David Howells; +Cc: linux-security-module, linux-kernel

* David Howells (dhowells@redhat.com) wrote:
> Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
> 
> 	Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> 	Date:   Tue Mar 30 00:04:00 2010 +0100
> 	Subject: CRED: Fix memory leak in error handling
> 
> attempts to fix a memory leak in the error handling by making the offending
> return statement into a jump down to the bottom of the function where a
> kfree(tgcred) is inserted.
> 
> This is, however, incorrect, as it does a kfree() after doing put_cred() if
> security_prepare_creds() fails.  That will result in a double free if 'error'
> is jumped to as put_cred() will also attempt to free the new tgcred record by
> virtue of it being pointed to by the new cred record.

OK, I missed the fact taht put_cred() performs the kfree. Thanks for the fix.

Acked-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
> 
>  kernel/cred.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e1dbe9e..ce1a52b 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
>  
>  error:
>  	put_cred(new);
> +	return NULL;
> +
>  free_tgcred:
>  #ifdef CONFIG_KEYS
>  	kfree(tgcred);
> 

-- 
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] CRED: Fix double free in prepare_usermodehelper_creds() error handling
  2010-04-20 21:41 [PATCH] CRED: Fix double free in prepare_usermodehelper_creds() error handling David Howells
  2010-04-21 13:47 ` Mathieu Desnoyers
@ 2010-04-22 18:23 ` Andrew Morton
  2010-04-22 22:46   ` James Morris
  1 sibling, 1 reply; 4+ messages in thread
From: Andrew Morton @ 2010-04-22 18:23 UTC (permalink / raw)
  To: David Howells; +Cc: linux-security-module, mathieu.desnoyers, linux-kernel

On Tue, 20 Apr 2010 22:41:18 +0100
David Howells <dhowells@redhat.com> wrote:

> Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
> 
> 	Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> 	Date:   Tue Mar 30 00:04:00 2010 +0100
> 	Subject: CRED: Fix memory leak in error handling
> 
> attempts to fix a memory leak in the error handling by making the offending
> return statement into a jump down to the bottom of the function where a
> kfree(tgcred) is inserted.
> 
> This is, however, incorrect, as it does a kfree() after doing put_cred() if
> security_prepare_creds() fails.  That will result in a double free if 'error'
> is jumped to as put_cred() will also attempt to free the new tgcred record by
> virtue of it being pointed to by the new cred record.
> 
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
> 
>  kernel/cred.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e1dbe9e..ce1a52b 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
>  
>  error:
>  	put_cred(new);
> +	return NULL;
> +
>  free_tgcred:
>  #ifdef CONFIG_KEYS
>  	kfree(tgcred);

Oleg's umh-creds-kill-subprocess_info-cred-logic.patch removes
prepare_usermodehelper_creds() altogether.  An option would have been
to promote that into 2.6.34?



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] CRED: Fix double free in prepare_usermodehelper_creds() error handling
  2010-04-22 18:23 ` Andrew Morton
@ 2010-04-22 22:46   ` James Morris
  0 siblings, 0 replies; 4+ messages in thread
From: James Morris @ 2010-04-22 22:46 UTC (permalink / raw)
  To: Andrew Morton
  Cc: David Howells, linux-security-module, mathieu.desnoyers,
	linux-kernel

On Thu, 22 Apr 2010, Andrew Morton wrote:

> >  #ifdef CONFIG_KEYS
> >  	kfree(tgcred);
> 
> Oleg's umh-creds-kill-subprocess_info-cred-logic.patch removes
> prepare_usermodehelper_creds() altogether.  An option would have been
> to promote that into 2.6.34?

FYI, this fix is in Linus' tree, now.

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-04-22 22:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-20 21:41 [PATCH] CRED: Fix double free in prepare_usermodehelper_creds() error handling David Howells
2010-04-21 13:47 ` Mathieu Desnoyers
2010-04-22 18:23 ` Andrew Morton
2010-04-22 22:46   ` James Morris

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.