From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from [222.73.24.84] (helo=song.cn.fujitsu.com) by merlin.infradead.org with esmtp (Exim 4.76 #1 (Red Hat Linux)) id 1U8isy-0005mw-80 for kexec@lists.infradead.org; Fri, 22 Feb 2013 03:01:21 +0000 Message-ID: <5126DC06.5020005@cn.fujitsu.com> Date: Fri, 22 Feb 2013 10:46:30 +0800 From: Zhang Yanfei MIME-Version: 1.0 Subject: Re: [PATCH] kexec: prevent double free on image allocation failure References: <1361496375-30994-1-git-send-email-sasha.levin@oracle.com> <87vc9l5cz4.fsf@xmission.com> In-Reply-To: <87vc9l5cz4.fsf@xmission.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 Sender: kexec-bounces@lists.infradead.org Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: "Eric W. Biederman" Cc: Sasha Levin , Andrew Morton , kexec@lists.infradead.org, linux-kernel@vger.kernel.org 09ogMjAxM8TqMDLUwjIyyNUgMDk6NTUsIEVyaWMgVy4gQmllZGVybWFuINC0tcA6Cj4gU2FzaGEg TGV2aW4gPHNhc2hhLmxldmluQG9yYWNsZS5jb20+IHdyaXRlczoKPiAKPj4gSWYga2ltYWdlX25v cm1hbF9hbGxvYygpIGZhaWxzIHRvIGluaXRpYWxpemUgYW4gYWxsb2NhdGVkIGtpbWFnZSwgaXQg d2lsbCBmcmVlCj4+IHRoZSBpbWFnZSBidXQgd291bGQgc3RpbGwgc2V0ICdyaW1hZ2UnLCBhcyBh IHJlc3VsdCBrZXhlY19sb2FkIHdpbGwgdHJ5Cj4+IHRvIGZyZWUgaXQgYWdhaW4uCj4+Cj4+IFRo aXMgd291bGQgZXhwbG9kZSBhcyBwYXJ0IG9mIHRoZSBmcmVlaW5nIHByb2Nlc3MgaXMgYWNjZXNz aW5nIGludGVybmFsCj4+IG1lbWJlcnMgd2hpY2ggcG9pbnQgdG8gdW5pbml0aWFsaXplZCBtZW1v cnkuCj4gCj4gQWdyZWVkLgo+IAo+IEkgZG9uJ3QgdGhpbmsgdGhhdCBmYWlsdXJlIHBhdGggaGFz IGV2ZXIgYWN0dWFsbHkgYmVlbiBleGVyY2lzZWQuCj4gCj4gVGhlIGNvZGUgaXMgd3JvbmcsIGFu ZCBpdCBpcyB3b3J0aCBmaXhpbmcuCj4gCj4gQW5kcmV3IEkgZG8geW91IHRoaW5rIHlvdSBjb3Vs ZCBxdWV1ZSB0aGlzIHVwPyAgSSBkb24ndCBoYXZlIGEgaGFuZHkgdHJlZS4KCgpJIHN0aWxsIGZv dW5kIGFub3RoZXIgbWFsbG9jL2ZyZWUgcHJvYmxlbSBpbiB0aGlzIGZ1bmN0aW9uLiBTbyBJIHVw ZGF0ZSB0aGUgcGF0Y2guCgotLS0tLS0tLS0tLS0tLS0tLS0tLS0KCkZyb20gMWZiNzZhMzVlNDEw OWUxNDM1ZjU1MDQ4YzIwZWE1ODYyMmU3Zjg3YiBNb24gU2VwIDE3IDAwOjAwOjAwIDIwMDEKRnJv bTogWmhhbmcgWWFuZmVpIDx6aGFuZ3lhbmZlaUBjbi5mdWppdHN1LmNvbT4KRGF0ZTogRnJpLCAy MiBGZWIgMjAxMyAxMDozNDowMiArMDgwMApTdWJqZWN0OiBbUEFUQ0hdIGtleGVjOiBmaXggYWxs b2NhdGlvbiBwcm9ibGVtcyBpbiBmdW5jdGlvbiBraW1hZ2Vfbm9ybWFsX2FsbG9jCgpUaGUgZnVu Y3Rpb24ga2ltYWdlX25vcm1hbF9hbGxvYygpIGhhcyAyIGFsbG9jYXRpb24gcHJvYmxlbXMgdGhh dCBtYXkgY2F1c2UKZmFpbHVyZXM6CgogIDEuIElmIGtpbWFnZV9ub3JtYWxfYWxsb2MoKSBmYWls cyB0byBpbml0aWFsaXplIGFuIGFsbG9jYXRlZCBraW1hZ2UsIGl0IHdpbGwKICAgICBmcmVlIHRo ZSBpbWFnZSBidXQgd291bGQgc3RpbGwgc2V0ICdyaW1hZ2UnLCBhcyBhIHJlc3VsdCBrZXhlY19s b2FkIHdpbGwKICAgICB0cnkgdG8gZnJlZSBpdCBhZ2Fpbi4KCiAgICAgVGhpcyB3b3VsZCBleHBs b2RlIGFzIHBhcnQgb2YgdGhlIGZyZWVpbmcgcHJvY2VzcyBpcyBhY2Nlc3NpbmcgaW50ZXJuYWwK ICAgICBtZW1iZXJzIHdoaWNoIHBvaW50IHRvIHVuaW5pdGlhbGl6ZWQgbWVtb3J5LgoKICAyLiBJ ZiBraW1hZ2Vfbm9ybWFsX2FsbG9jKCkgZmFpbHMgdG8gYWxsb2MgcGFnZXMgZm9yIGltYWdlLT5z d2FwX3BhZ2UsIGl0CiAgICAgc2hvdWxkIGNhbGwga2ltYWdlX2ZyZWVfcGFnZV9saXN0KCkgdG8g ZnJlZSBhbGxvY2F0ZWQgcGFnZXMgaW4KICAgICBpbWFnZS0+Y29udHJvbF9wYWdlcyBsaXN0IGJl Zm9yZSBpdCBmcmVlcyBpbWFnZS4KClNpZ25lZC1vZmYtYnk6IFNhc2hhIExldmluIDxzYXNoYS5s ZXZpbkBvcmFjbGUuY29tPgpTaWduZWQtb2ZmLWJ5OiBaaGFuZyBZYW5mZWkgPHpoYW5neWFuZmVp QGNuLmZ1aml0c3UuY29tPgotLS0KIGtlcm5lbC9rZXhlYy5jIHwgICAxMCArKysrKystLS0tCiAx IGZpbGVzIGNoYW5nZWQsIDYgaW5zZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCmRpZmYgLS1n aXQgYS9rZXJuZWwva2V4ZWMuYyBiL2tlcm5lbC9rZXhlYy5jCmluZGV4IDVlNGJkNzguLmYyMTkz NTcgMTAwNjQ0Ci0tLSBhL2tlcm5lbC9rZXhlYy5jCisrKyBiL2tlcm5lbC9rZXhlYy5jCkBAIC0y MjMsNiArMjIzLDggQEAgb3V0OgogCiB9CiAKK3N0YXRpYyB2b2lkIGtpbWFnZV9mcmVlX3BhZ2Vf bGlzdChzdHJ1Y3QgbGlzdF9oZWFkICpsaXN0KTsKKwogc3RhdGljIGludCBraW1hZ2Vfbm9ybWFs X2FsbG9jKHN0cnVjdCBraW1hZ2UgKipyaW1hZ2UsIHVuc2lnbmVkIGxvbmcgZW50cnksCiAJCQkJ dW5zaWduZWQgbG9uZyBucl9zZWdtZW50cywKIAkJCQlzdHJ1Y3Qga2V4ZWNfc2VnbWVudCBfX3Vz ZXIgKnNlZ21lbnRzKQpAQCAtMjM2LDggKzIzOCw2IEBAIHN0YXRpYyBpbnQga2ltYWdlX25vcm1h bF9hbGxvYyhzdHJ1Y3Qga2ltYWdlICoqcmltYWdlLCB1bnNpZ25lZCBsb25nIGVudHJ5LAogCWlm IChyZXN1bHQpCiAJCWdvdG8gb3V0OwogCi0JKnJpbWFnZSA9IGltYWdlOwotCiAJLyoKIAkgKiBG aW5kIGEgbG9jYXRpb24gZm9yIHRoZSBjb250cm9sIGNvZGUgYnVmZmVyLCBhbmQgYWRkIGl0CiAJ ICogdGhlIHZlY3RvciBvZiBzZWdtZW50cyBzbyB0aGF0IGl0J3MgcGFnZXMgd2lsbCBhbHNvIGJl CkBAIC0yNTksMTAgKzI1OSwxMiBAQCBzdGF0aWMgaW50IGtpbWFnZV9ub3JtYWxfYWxsb2Moc3Ry dWN0IGtpbWFnZSAqKnJpbWFnZSwgdW5zaWduZWQgbG9uZyBlbnRyeSwKIAogCXJlc3VsdCA9IDA7 CiAgb3V0OgotCWlmIChyZXN1bHQgPT0gMCkKKwlpZiAocmVzdWx0ID09IDApIHsKIAkJKnJpbWFn ZSA9IGltYWdlOwotCWVsc2UKKwl9IGVsc2UgeworCQlraW1hZ2VfZnJlZV9wYWdlX2xpc3QoJmlt YWdlLT5jb250cm9sX3BhZ2VzKTsKIAkJa2ZyZWUoaW1hZ2UpOworCX0KIAogCXJldHVybiByZXN1 bHQ7CiB9Ci0tIAoxLjcuMQoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fCmtleGVjIG1haWxpbmcgbGlzdAprZXhlY0BsaXN0cy5pbmZyYWRlYWQub3JnCmh0 dHA6Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8va2V4ZWMK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757648Ab3BVDBK (ORCPT ); Thu, 21 Feb 2013 22:01:10 -0500 Received: from cn.fujitsu.com ([222.73.24.84]:25701 "EHLO song.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1755459Ab3BVDBG convert rfc822-to-8bit (ORCPT ); Thu, 21 Feb 2013 22:01:06 -0500 X-IronPort-AV: E=Sophos;i="4.84,713,1355068800"; d="scan'208";a="6746493" Message-ID: <5126DC06.5020005@cn.fujitsu.com> Date: Fri, 22 Feb 2013 10:46:30 +0800 From: Zhang Yanfei User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.8) Gecko/20121012 Thunderbird/10.0.8 MIME-Version: 1.0 To: "Eric W. Biederman" CC: Sasha Levin , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Andrew Morton Subject: Re: [PATCH] kexec: prevent double free on image allocation failure References: <1361496375-30994-1-git-send-email-sasha.levin@oracle.com> <87vc9l5cz4.fsf@xmission.com> In-Reply-To: <87vc9l5cz4.fsf@xmission.com> X-MIMETrack: Itemize by SMTP Server on mailserver/fnst(Release 8.5.3|September 15, 2011) at 2013/02/22 10:47:22, Serialize by Router on mailserver/fnst(Release 8.5.3|September 15, 2011) at 2013/02/22 11:00:20 Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 于 2013年02月22日 09:55, Eric W. Biederman 写道: > Sasha Levin writes: > >> If kimage_normal_alloc() fails to initialize an allocated kimage, it will free >> the image but would still set 'rimage', as a result kexec_load will try >> to free it again. >> >> This would explode as part of the freeing process is accessing internal >> members which point to uninitialized memory. > > Agreed. > > I don't think that failure path has ever actually been exercised. > > The code is wrong, and it is worth fixing. > > Andrew I do you think you could queue this up? I don't have a handy tree. I still found another malloc/free problem in this function. So I update the patch. --------------------- >>From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 From: Zhang Yanfei Date: Fri, 22 Feb 2013 10:34:02 +0800 Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc The function kimage_normal_alloc() has 2 allocation problems that may cause failures: 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. 2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it should call kimage_free_page_list() to free allocated pages in image->control_pages list before it frees image. Signed-off-by: Sasha Levin Signed-off-by: Zhang Yanfei --- kernel/kexec.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/kexec.c b/kernel/kexec.c index 5e4bd78..f219357 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -223,6 +223,8 @@ out: } +static void kimage_free_page_list(struct list_head *list); + static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, unsigned long nr_segments, struct kexec_segment __user *segments) @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, if (result) goto out; - *rimage = image; - /* * Find a location for the control code buffer, and add it * the vector of segments so that it's pages will also be @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, result = 0; out: - if (result == 0) + if (result == 0) { *rimage = image; - else + } else { + kimage_free_page_list(&image->control_pages); kfree(image); + } return result; } -- 1.7.1