Re: memory leak in sctp_process_init - Marcelo Ricardo Leitner

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: syzbot <syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com>,
	davem@davemloft.net, linux-kernel@vger.kernel.org,
	linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, vyasevich@gmail.com
Subject: Re: memory leak in sctp_process_init
Date: Thu, 30 May 2019 15:17:05 +0000	[thread overview]
Message-ID: <20190530151705.GD3713@localhost.localdomain> (raw)
In-Reply-To: <20190530142011.GC1966@hmswarspite.think-freely.org>

On Thu, May 30, 2019 at 10:20:11AM -0400, Neil Horman wrote:
> On Wed, May 29, 2019 at 08:37:57PM -0300, Marcelo Ricardo Leitner wrote:
> > On Wed, May 29, 2019 at 03:07:09PM -0400, Neil Horman wrote:
> > > --- a/net/sctp/sm_make_chunk.c
> > > +++ b/net/sctp/sm_make_chunk.c
> > > @@ -2419,9 +2419,12 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
> > >  	/* Copy cookie in case we need to resend COOKIE-ECHO. */
> > >  	cookie = asoc->peer.cookie;
> > >  	if (cookie) {
> > > +		if (asoc->peer.cookie_allocated)
> > > +			kfree(cookie);
> > >  		asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp);
> > >  		if (!asoc->peer.cookie)
> > >  			goto clean_up;
> > > +		asoc->peer.cookie_allocated=1;
> > >  	}
> > >  
> > >  	/* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
> > 
> > What if we kmemdup directly at sctp_process_param(), as it's done for
> > others already? Like SCTP_PARAM_RANDOM and SCTP_PARAM_HMAC_ALGO. I
> > don't see a reason for SCTP_PARAM_STATE_COOKIE to be different
> > here. This way it would be always allocated, and ready to be kfreed.
> > 
> > We still need to free it after the handshake, btw.
> > 
> >   Marcelo
> > 
> 
> Still untested, but something like this?
> 

Yes, just..

> 
> diff --git a/net/sctp/associola.c b/net/sctp/associola.c
> index d2c7d0d2abc1..718b9917844e 100644
> --- a/net/sctp/associola.c
> +++ b/net/sctp/associola.c
> @@ -393,6 +393,7 @@ void sctp_association_free(struct sctp_association *asoc)
>  	kfree(asoc->peer.peer_random);
>  	kfree(asoc->peer.peer_chunks);
>  	kfree(asoc->peer.peer_hmacs);
> +	kfree(asoc->peer.cookie);

this chunk is not needed because it is freed right above the first
kfree() in the context here.

>  
>  	/* Release the transport structures. */
>  	list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 72e74503f9fc..ff365f22a3c1 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2431,14 +2431,6 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
>  	/* Peer Rwnd   : Current calculated value of the peer's rwnd.  */
>  	asoc->peer.rwnd = asoc->peer.i.a_rwnd;
>  
> -	/* Copy cookie in case we need to resend COOKIE-ECHO. */
> -	cookie = asoc->peer.cookie;
> -	if (cookie) {
> -		asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp);
> -		if (!asoc->peer.cookie)
> -			goto clean_up;
> -	}
> -
>  	/* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
>  	 * high (for example, implementations MAY use the size of the receiver
>  	 * advertised window).
> @@ -2607,7 +2599,9 @@ static int sctp_process_param(struct sctp_association *asoc,
>  	case SCTP_PARAM_STATE_COOKIE:
>  		asoc->peer.cookie_len >  			ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> -		asoc->peer.cookie = param.cookie->body;
> +		asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> +		if (!asoc->peer.cookie)
> +			retval = 0;
>  		break;
>  
>  	case SCTP_PARAM_HEARTBEAT_INFO:

Plus:

--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -898,6 +898,11 @@ static void sctp_cmd_new_state(struct sctp_cmd_seq *cmds,
 						asoc->rto_initial;
 	}
 
+	if (sctp_state(asoc, ESTABLISHED)) {
+		kfree(asoc->peer.cookie);
+		asoc->peer.cookie = NULL;
+	}
+
 	if (sctp_state(asoc, ESTABLISHED) ||
 	    sctp_state(asoc, CLOSED) ||
 	    sctp_state(asoc, SHUTDOWN_RECEIVED)) {

Also untested, just sharing the idea.

  Marcelo

WARNING: multiple messages have this Message-ID (diff)

From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: syzbot <syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com>,
	davem@davemloft.net, linux-kernel@vger.kernel.org,
	linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, vyasevich@gmail.com
Subject: Re: memory leak in sctp_process_init
Date: Thu, 30 May 2019 12:17:05 -0300	[thread overview]
Message-ID: <20190530151705.GD3713@localhost.localdomain> (raw)
In-Reply-To: <20190530142011.GC1966@hmswarspite.think-freely.org>

On Thu, May 30, 2019 at 10:20:11AM -0400, Neil Horman wrote:
> On Wed, May 29, 2019 at 08:37:57PM -0300, Marcelo Ricardo Leitner wrote:
> > On Wed, May 29, 2019 at 03:07:09PM -0400, Neil Horman wrote:
> > > --- a/net/sctp/sm_make_chunk.c
> > > +++ b/net/sctp/sm_make_chunk.c
> > > @@ -2419,9 +2419,12 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
> > >  	/* Copy cookie in case we need to resend COOKIE-ECHO. */
> > >  	cookie = asoc->peer.cookie;
> > >  	if (cookie) {
> > > +		if (asoc->peer.cookie_allocated)
> > > +			kfree(cookie);
> > >  		asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp);
> > >  		if (!asoc->peer.cookie)
> > >  			goto clean_up;
> > > +		asoc->peer.cookie_allocated=1;
> > >  	}
> > >  
> > >  	/* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
> > 
> > What if we kmemdup directly at sctp_process_param(), as it's done for
> > others already? Like SCTP_PARAM_RANDOM and SCTP_PARAM_HMAC_ALGO. I
> > don't see a reason for SCTP_PARAM_STATE_COOKIE to be different
> > here. This way it would be always allocated, and ready to be kfreed.
> > 
> > We still need to free it after the handshake, btw.
> > 
> >   Marcelo
> > 
> 
> Still untested, but something like this?
> 

Yes, just..

> 
> diff --git a/net/sctp/associola.c b/net/sctp/associola.c
> index d2c7d0d2abc1..718b9917844e 100644
> --- a/net/sctp/associola.c
> +++ b/net/sctp/associola.c
> @@ -393,6 +393,7 @@ void sctp_association_free(struct sctp_association *asoc)
>  	kfree(asoc->peer.peer_random);
>  	kfree(asoc->peer.peer_chunks);
>  	kfree(asoc->peer.peer_hmacs);
> +	kfree(asoc->peer.cookie);

this chunk is not needed because it is freed right above the first
kfree() in the context here.

>  
>  	/* Release the transport structures. */
>  	list_for_each_safe(pos, temp, &asoc->peer.transport_addr_list) {
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 72e74503f9fc..ff365f22a3c1 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2431,14 +2431,6 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
>  	/* Peer Rwnd   : Current calculated value of the peer's rwnd.  */
>  	asoc->peer.rwnd = asoc->peer.i.a_rwnd;
>  
> -	/* Copy cookie in case we need to resend COOKIE-ECHO. */
> -	cookie = asoc->peer.cookie;
> -	if (cookie) {
> -		asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp);
> -		if (!asoc->peer.cookie)
> -			goto clean_up;
> -	}
> -
>  	/* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
>  	 * high (for example, implementations MAY use the size of the receiver
>  	 * advertised window).
> @@ -2607,7 +2599,9 @@ static int sctp_process_param(struct sctp_association *asoc,
>  	case SCTP_PARAM_STATE_COOKIE:
>  		asoc->peer.cookie_len =
>  			ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> -		asoc->peer.cookie = param.cookie->body;
> +		asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> +		if (!asoc->peer.cookie)
> +			retval = 0;
>  		break;
>  
>  	case SCTP_PARAM_HEARTBEAT_INFO:

Plus:

--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -898,6 +898,11 @@ static void sctp_cmd_new_state(struct sctp_cmd_seq *cmds,
 						asoc->rto_initial;
 	}
 
+	if (sctp_state(asoc, ESTABLISHED)) {
+		kfree(asoc->peer.cookie);
+		asoc->peer.cookie = NULL;
+	}
+
 	if (sctp_state(asoc, ESTABLISHED) ||
 	    sctp_state(asoc, CLOSED) ||
 	    sctp_state(asoc, SHUTDOWN_RECEIVED)) {

Also untested, just sharing the idea.

  Marcelo

next prev parent reply	other threads:[~2019-05-30 15:17 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-28  0:48 memory leak in sctp_process_init syzbot
2019-05-28  0:48 ` syzbot
2019-05-28  1:36 ` Marcelo Ricardo Leitner
2019-05-28  1:36   ` Marcelo Ricardo Leitner
2019-05-28 11:15   ` Neil Horman
2019-05-28 11:15     ` Neil Horman
2019-05-29 19:07     ` Neil Horman
2019-05-29 19:07       ` Neil Horman
2019-05-29 23:37       ` Marcelo Ricardo Leitner
2019-05-29 23:37         ` Marcelo Ricardo Leitner
2019-05-30 11:24         ` Neil Horman
2019-05-30 11:24           ` Neil Horman
2019-05-30 14:20         ` Neil Horman
2019-05-30 14:20           ` Neil Horman
2019-05-30 15:17           ` Marcelo Ricardo Leitner [this message]
2019-05-30 15:17             ` Marcelo Ricardo Leitner
2019-05-30 19:56             ` Neil Horman
2019-05-30 19:56               ` Neil Horman
2019-05-31 12:42               ` Marcelo Ricardo Leitner
2019-05-31 12:42                 ` Marcelo Ricardo Leitner
2019-05-31 16:43                 ` Neil Horman
2019-05-31 16:43                   ` Neil Horman
2019-06-03 20:32 ` [PATCH V2] Fix " Neil Horman
2019-06-03 20:32   ` Neil Horman
2019-06-03 21:42   ` Marcelo Ricardo Leitner
2019-06-03 21:42     ` Marcelo Ricardo Leitner
2019-06-04 20:16   ` Xin Long
2019-06-04 20:16     ` Xin Long
2019-06-04 20:59     ` Marcelo Ricardo Leitner
2019-06-04 20:59       ` Marcelo Ricardo Leitner
2019-06-05 11:20     ` Neil Horman
2019-06-05 11:20       ` Neil Horman
2019-06-06 15:47       ` Marcelo Ricardo Leitner
2019-06-06 15:47         ` Marcelo Ricardo Leitner
2019-06-07 10:56         ` Neil Horman
2019-06-07 10:56           ` Neil Horman
2019-06-07 12:48           ` Marcelo Ricardo Leitner
2019-06-07 12:48             ` Marcelo Ricardo Leitner
2019-06-08  7:06             ` Xin Long
2019-06-08  7:06               ` Xin Long
2019-06-06  0:14   ` David Miller
2019-06-06  0:14     ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190530151705.GD3713@localhost.localdomain \
    --to=marcelo.leitner@gmail.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vyasevich@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.