[PATCH] Fix kfree() corruption in sock_read_buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Fix kfree() corruption in sock_read_buffer_sendmsg()
@ 2009-08-14 15:35 Dan Smith
       [not found] ` <1250264153-21697-1-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Smith @ 2009-08-14 15:35 UTC (permalink / raw)
  To: orenl-RdfvBDnrOixBDgjK7y7TUQ; +Cc: containers-qjLDD68F18O7TbgM5vRIOg

The memcpy_from_iovec() function that the unix sendmsg functions use modifies
the struct msghdr.  Since the current code uses the msg.iovec_base pointer
in the msghdr for the kmalloc() and kfree(), we end up freeing the wrong
pointer.  This patch stores the original address in a separate pointer and
corrects the kfree() call to use it.

Cc: serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org
Signed-off-by: Dan Smith <danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
---
 net/unix/checkpoint.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/unix/checkpoint.c b/net/unix/checkpoint.c
index 841d25d..65b7025 100644
--- a/net/unix/checkpoint.c
+++ b/net/unix/checkpoint.c
@@ -118,6 +118,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
 {
 	struct msghdr msg;
 	struct kvec kvec;
+	void *buf;
 	int ret = 0;
 	int len;
 
@@ -134,8 +135,9 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
 	}
 
 	kvec.iov_len = len;
-	kvec.iov_base = kmalloc(len, GFP_KERNEL);
-	if (!kvec.iov_base)
+	buf = kmalloc(len, GFP_KERNEL);
+	kvec.iov_base = buf;
+	if (!buf)
 		return -ENOMEM;
 
 	ret = ckpt_kread(ctx, kvec.iov_base, len);
@@ -147,7 +149,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
 	if ((ret > 0) && (ret != len))
 		ret = -ENOMEM;
  out:
-	kfree(kvec.iov_base);
+	kfree(buf);
 
 	return ret;
 }
-- 
1.6.2.5

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] Fix kfree() corruption in sock_read_buffer_sendmsg()
       [not found] ` <1250264153-21697-1-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
@ 2009-08-14 18:51   ` Serge E. Hallyn
       [not found]     ` <20090814185145.GA5712-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Serge E. Hallyn @ 2009-08-14 18:51 UTC (permalink / raw)
  To: Dan Smith; +Cc: containers-qjLDD68F18O7TbgM5vRIOg

Quoting Dan Smith (danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> The memcpy_from_iovec() function that the unix sendmsg functions use modifies
> the struct msghdr.  Since the current code uses the msg.iovec_base pointer
> in the msghdr for the kmalloc() and kfree(), we end up freeing the wrong
> pointer.  This patch stores the original address in a separate pointer and
> corrects the kfree() call to use it.
> 
> Cc: serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org
> Signed-off-by: Dan Smith <danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>

Tested-by: Serge Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>

> ---
>  net/unix/checkpoint.c |    8 +++++---
>  1 files changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/net/unix/checkpoint.c b/net/unix/checkpoint.c
> index 841d25d..65b7025 100644
> --- a/net/unix/checkpoint.c
> +++ b/net/unix/checkpoint.c
> @@ -118,6 +118,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
>  {
>  	struct msghdr msg;
>  	struct kvec kvec;
> +	void *buf;
>  	int ret = 0;
>  	int len;
> 
> @@ -134,8 +135,9 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
>  	}
> 
>  	kvec.iov_len = len;
> -	kvec.iov_base = kmalloc(len, GFP_KERNEL);
> -	if (!kvec.iov_base)
> +	buf = kmalloc(len, GFP_KERNEL);
> +	kvec.iov_base = buf;
> +	if (!buf)
>  		return -ENOMEM;
> 
>  	ret = ckpt_kread(ctx, kvec.iov_base, len);
> @@ -147,7 +149,7 @@ static int sock_read_buffer_sendmsg(struct ckpt_ctx *ctx, struct sock *sock)
>  	if ((ret > 0) && (ret != len))
>  		ret = -ENOMEM;
>   out:
> -	kfree(kvec.iov_base);
> +	kfree(buf);
> 
>  	return ret;
>  }
> -- 
> 1.6.2.5

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Fix kfree() corruption in sock_read_buffer_sendmsg()
       [not found]     ` <20090814185145.GA5712-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
@ 2009-08-14 20:21       ` Oren Laadan
  0 siblings, 0 replies; 3+ messages in thread
From: Oren Laadan @ 2009-08-14 20:21 UTC (permalink / raw)
  To: Serge E. Hallyn; +Cc: containers-qjLDD68F18O7TbgM5vRIOg, Dan Smith



Serge E. Hallyn wrote:
> Quoting Dan Smith (danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
>> The memcpy_from_iovec() function that the unix sendmsg functions use modifies
>> the struct msghdr.  Since the current code uses the msg.iovec_base pointer
>> in the msghdr for the kmalloc() and kfree(), we end up freeing the wrong
>> pointer.  This patch stores the original address in a separate pointer and
>> corrects the kfree() call to use it.
>>
>> Cc: serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org
>> Signed-off-by: Dan Smith <danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> 
> Tested-by: Serge Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>

Pulled.

Oren.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-08-14 20:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-14 15:35 [PATCH] Fix kfree() corruption in sock_read_buffer_sendmsg() Dan Smith
     [not found] ` <1250264153-21697-1-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-14 18:51   ` Serge E. Hallyn
     [not found]     ` <20090814185145.GA5712-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-14 20:21       ` Oren Laadan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.