From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from [222.73.24.84] (helo=song.cn.fujitsu.com) by merlin.infradead.org with esmtp (Exim 4.76 #1 (Red Hat Linux)) id 1U8jyp-0000Kr-Fj for kexec@lists.infradead.org; Fri, 22 Feb 2013 04:11:28 +0000 Message-ID: <5126ECF8.2050806@cn.fujitsu.com> Date: Fri, 22 Feb 2013 11:58:48 +0800 From: Zhang Yanfei MIME-Version: 1.0 Subject: Re: [PATCH] kexec: prevent double free on image allocation failure References: <1361496375-30994-1-git-send-email-sasha.levin@oracle.com> <87vc9l5cz4.fsf@xmission.com> <5126DC06.5020005@cn.fujitsu.com> <5126E8F2.70502@oracle.com> In-Reply-To: <5126E8F2.70502@oracle.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 Sender: kexec-bounces@lists.infradead.org Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Sasha Levin Cc: Andrew Morton , kexec@lists.infradead.org, "Eric W. Biederman" , linux-kernel@vger.kernel.org 09ogMjAxM8TqMDLUwjIyyNUgMTE6NDEsIFNhc2hhIExldmluINC0tcA6Cj4gT24gMDIvMjEvMjAx MyAwOTo0NiBQTSwgWmhhbmcgWWFuZmVpIHdyb3RlOgo+PiDT2iAyMDEzxOowMtTCMjLI1SAwOTo1 NSwgRXJpYyBXLiBCaWVkZXJtYW4g0LS1wDoKPj4+IFNhc2hhIExldmluIDxzYXNoYS5sZXZpbkBv cmFjbGUuY29tPiB3cml0ZXM6Cj4+Pgo+Pj4+IElmIGtpbWFnZV9ub3JtYWxfYWxsb2MoKSBmYWls cyB0byBpbml0aWFsaXplIGFuIGFsbG9jYXRlZCBraW1hZ2UsIGl0IHdpbGwgZnJlZQo+Pj4+IHRo ZSBpbWFnZSBidXQgd291bGQgc3RpbGwgc2V0ICdyaW1hZ2UnLCBhcyBhIHJlc3VsdCBrZXhlY19s b2FkIHdpbGwgdHJ5Cj4+Pj4gdG8gZnJlZSBpdCBhZ2Fpbi4KPj4+Pgo+Pj4+IFRoaXMgd291bGQg ZXhwbG9kZSBhcyBwYXJ0IG9mIHRoZSBmcmVlaW5nIHByb2Nlc3MgaXMgYWNjZXNzaW5nIGludGVy bmFsCj4+Pj4gbWVtYmVycyB3aGljaCBwb2ludCB0byB1bmluaXRpYWxpemVkIG1lbW9yeS4KPj4+ Cj4+PiBBZ3JlZWQuCj4+Pgo+Pj4gSSBkb24ndCB0aGluayB0aGF0IGZhaWx1cmUgcGF0aCBoYXMg ZXZlciBhY3R1YWxseSBiZWVuIGV4ZXJjaXNlZC4KPj4+Cj4+PiBUaGUgY29kZSBpcyB3cm9uZywg YW5kIGl0IGlzIHdvcnRoIGZpeGluZy4KPj4+Cj4+PiBBbmRyZXcgSSBkbyB5b3UgdGhpbmsgeW91 IGNvdWxkIHF1ZXVlIHRoaXMgdXA/ICBJIGRvbid0IGhhdmUgYSBoYW5keSB0cmVlLgo+Pgo+Pgo+ PiBJIHN0aWxsIGZvdW5kIGFub3RoZXIgbWFsbG9jL2ZyZWUgcHJvYmxlbSBpbiB0aGlzIGZ1bmN0 aW9uLiBTbyBJIHVwZGF0ZSB0aGUgcGF0Y2guCj4+Cj4+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLQo+ Pgo+PiBGcm9tIDFmYjc2YTM1ZTQxMDllMTQzNWY1NTA0OGMyMGVhNTg2MjJlN2Y4N2IgTW9uIFNl cCAxNyAwMDowMDowMCAyMDAxCj4+IEZyb206IFpoYW5nIFlhbmZlaSA8emhhbmd5YW5mZWlAY24u ZnVqaXRzdS5jb20+Cj4+IERhdGU6IEZyaSwgMjIgRmViIDIwMTMgMTA6MzQ6MDIgKzA4MDAKPj4g U3ViamVjdDogW1BBVENIXSBrZXhlYzogZml4IGFsbG9jYXRpb24gcHJvYmxlbXMgaW4gZnVuY3Rp b24ga2ltYWdlX25vcm1hbF9hbGxvYwo+Pgo+PiBUaGUgZnVuY3Rpb24ga2ltYWdlX25vcm1hbF9h bGxvYygpIGhhcyAyIGFsbG9jYXRpb24gcHJvYmxlbXMgdGhhdCBtYXkgY2F1c2UKPj4gZmFpbHVy ZXM6Cj4+Cj4+ICAgMS4gSWYga2ltYWdlX25vcm1hbF9hbGxvYygpIGZhaWxzIHRvIGluaXRpYWxp emUgYW4gYWxsb2NhdGVkIGtpbWFnZSwgaXQgd2lsbAo+PiAgICAgIGZyZWUgdGhlIGltYWdlIGJ1 dCB3b3VsZCBzdGlsbCBzZXQgJ3JpbWFnZScsIGFzIGEgcmVzdWx0IGtleGVjX2xvYWQgd2lsbAo+ PiAgICAgIHRyeSB0byBmcmVlIGl0IGFnYWluLgo+Pgo+PiAgICAgIFRoaXMgd291bGQgZXhwbG9k ZSBhcyBwYXJ0IG9mIHRoZSBmcmVlaW5nIHByb2Nlc3MgaXMgYWNjZXNzaW5nIGludGVybmFsCj4+ ICAgICAgbWVtYmVycyB3aGljaCBwb2ludCB0byB1bmluaXRpYWxpemVkIG1lbW9yeS4KPj4KPj4g ICAyLiBJZiBraW1hZ2Vfbm9ybWFsX2FsbG9jKCkgZmFpbHMgdG8gYWxsb2MgcGFnZXMgZm9yIGlt YWdlLT5zd2FwX3BhZ2UsIGl0Cj4+ICAgICAgc2hvdWxkIGNhbGwga2ltYWdlX2ZyZWVfcGFnZV9s aXN0KCkgdG8gZnJlZSBhbGxvY2F0ZWQgcGFnZXMgaW4KPj4gICAgICBpbWFnZS0+Y29udHJvbF9w YWdlcyBsaXN0IGJlZm9yZSBpdCBmcmVlcyBpbWFnZS4KPj4KPj4gU2lnbmVkLW9mZi1ieTogU2Fz aGEgTGV2aW4gPHNhc2hhLmxldmluQG9yYWNsZS5jb20+Cj4+IFNpZ25lZC1vZmYtYnk6IFpoYW5n IFlhbmZlaSA8emhhbmd5YW5mZWlAY24uZnVqaXRzdS5jb20+Cj4+IC0tLQo+PiAga2VybmVsL2tl eGVjLmMgfCAgIDEwICsrKysrKy0tLS0KPj4gIDEgZmlsZXMgY2hhbmdlZCwgNiBpbnNlcnRpb25z KCspLCA0IGRlbGV0aW9ucygtKQo+Pgo+PiBkaWZmIC0tZ2l0IGEva2VybmVsL2tleGVjLmMgYi9r ZXJuZWwva2V4ZWMuYwo+PiBpbmRleCA1ZTRiZDc4Li5mMjE5MzU3IDEwMDY0NAo+PiAtLS0gYS9r ZXJuZWwva2V4ZWMuYwo+PiArKysgYi9rZXJuZWwva2V4ZWMuYwo+PiBAQCAtMjIzLDYgKzIyMyw4 IEBAIG91dDoKPj4gIAo+PiAgfQo+PiAgCj4+ICtzdGF0aWMgdm9pZCBraW1hZ2VfZnJlZV9wYWdl X2xpc3Qoc3RydWN0IGxpc3RfaGVhZCAqbGlzdCk7Cj4+ICsKPj4gIHN0YXRpYyBpbnQga2ltYWdl X25vcm1hbF9hbGxvYyhzdHJ1Y3Qga2ltYWdlICoqcmltYWdlLCB1bnNpZ25lZCBsb25nIGVudHJ5 LAo+PiAgCQkJCXVuc2lnbmVkIGxvbmcgbnJfc2VnbWVudHMsCj4+ICAJCQkJc3RydWN0IGtleGVj X3NlZ21lbnQgX191c2VyICpzZWdtZW50cykKPj4gQEAgLTIzNiw4ICsyMzgsNiBAQCBzdGF0aWMg aW50IGtpbWFnZV9ub3JtYWxfYWxsb2Moc3RydWN0IGtpbWFnZSAqKnJpbWFnZSwgdW5zaWduZWQg bG9uZyBlbnRyeSwKPj4gIAlpZiAocmVzdWx0KQo+PiAgCQlnb3RvIG91dDsKPj4gIAo+PiAtCSpy aW1hZ2UgPSBpbWFnZTsKPj4gLQo+PiAgCS8qCj4+ICAJICogRmluZCBhIGxvY2F0aW9uIGZvciB0 aGUgY29udHJvbCBjb2RlIGJ1ZmZlciwgYW5kIGFkZCBpdAo+PiAgCSAqIHRoZSB2ZWN0b3Igb2Yg c2VnbWVudHMgc28gdGhhdCBpdCdzIHBhZ2VzIHdpbGwgYWxzbyBiZQo+PiBAQCAtMjU5LDEwICsy NTksMTIgQEAgc3RhdGljIGludCBraW1hZ2Vfbm9ybWFsX2FsbG9jKHN0cnVjdCBraW1hZ2UgKipy aW1hZ2UsIHVuc2lnbmVkIGxvbmcgZW50cnksCj4+ICAKPj4gIAlyZXN1bHQgPSAwOwo+PiAgIG91 dDoKPj4gLQlpZiAocmVzdWx0ID09IDApCj4+ICsJaWYgKHJlc3VsdCA9PSAwKSB7Cj4+ICAJCSpy aW1hZ2UgPSBpbWFnZTsKPj4gLQllbHNlCj4+ICsJfSBlbHNlIHsKPj4gKwkJa2ltYWdlX2ZyZWVf cGFnZV9saXN0KCZpbWFnZS0+Y29udHJvbF9wYWdlcyk7Cj4+ICAJCWtmcmVlKGltYWdlKTsKPj4g Kwl9Cj4+ICAKPj4gIAlyZXR1cm4gcmVzdWx0Owo+PiAgfQo+IAo+IEFuZCBpZiBkb19raW1hZ2Vf YWxsb2MoKSBmYWlscyBpbnN0ZWFkIG9mIGtpbWFnZV9hbGxvY19jb250cm9sX3BhZ2VzKCkKPiB5 b3Ugd2lsbCBOVUxMIGRlcmVmICdpbWFnZScsIHNvIG5vdyBpbnN0ZWFkIG9mIGxlYWtpbmcgcGFn ZXMgdGhlIGtlcm5lbAo+IHdpbGwgZXhwbG9kZS4KCk9oLCBJIG1pc3NlZCB0aGlzLgoKPiAKPiBF aXRoZXIgd2F5LCB0aGlzIGlzc3VlIHlvdSd2ZSBwb2ludGVkIG91dCBzaG91bGQgYmUgZml4ZWQg aW4gYSBzZXBhcmF0ZQo+IHBhdGNoLgo+IAo+IAoKT0ujrEkgd2lsbCBzZW5kIGFub3RoZXIgcGF0 Y2guCgpUaGFua3MKWmhhbmcKCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXwprZXhlYyBtYWlsaW5nIGxpc3QKa2V4ZWNAbGlzdHMuaW5mcmFkZWFkLm9yZwpo dHRwOi8vbGlzdHMuaW5mcmFkZWFkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2tleGVjCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755876Ab3BVELX (ORCPT ); Thu, 21 Feb 2013 23:11:23 -0500 Received: from cn.fujitsu.com ([222.73.24.84]:19504 "EHLO song.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1755501Ab3BVELW convert rfc822-to-8bit (ORCPT ); Thu, 21 Feb 2013 23:11:22 -0500 X-IronPort-AV: E=Sophos;i="4.84,713,1355068800"; d="scan'208";a="6746975" Message-ID: <5126ECF8.2050806@cn.fujitsu.com> Date: Fri, 22 Feb 2013 11:58:48 +0800 From: Zhang Yanfei User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.8) Gecko/20121012 Thunderbird/10.0.8 MIME-Version: 1.0 To: Sasha Levin CC: "Eric W. Biederman" , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Andrew Morton Subject: Re: [PATCH] kexec: prevent double free on image allocation failure References: <1361496375-30994-1-git-send-email-sasha.levin@oracle.com> <87vc9l5cz4.fsf@xmission.com> <5126DC06.5020005@cn.fujitsu.com> <5126E8F2.70502@oracle.com> In-Reply-To: <5126E8F2.70502@oracle.com> X-MIMETrack: Itemize by SMTP Server on mailserver/fnst(Release 8.5.3|September 15, 2011) at 2013/02/22 11:59:41, Serialize by Router on mailserver/fnst(Release 8.5.3|September 15, 2011) at 2013/02/22 11:59:52 Content-Type: text/plain; charset=GB2312 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 于 2013年02月22日 11:41, Sasha Levin 写道: > On 02/21/2013 09:46 PM, Zhang Yanfei wrote: >> 于 2013年02月22日 09:55, Eric W. Biederman 写道: >>> Sasha Levin writes: >>> >>>> If kimage_normal_alloc() fails to initialize an allocated kimage, it will free >>>> the image but would still set 'rimage', as a result kexec_load will try >>>> to free it again. >>>> >>>> This would explode as part of the freeing process is accessing internal >>>> members which point to uninitialized memory. >>> >>> Agreed. >>> >>> I don't think that failure path has ever actually been exercised. >>> >>> The code is wrong, and it is worth fixing. >>> >>> Andrew I do you think you could queue this up? I don't have a handy tree. >> >> >> I still found another malloc/free problem in this function. So I update the patch. >> >> --------------------- >> >> From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 >> From: Zhang Yanfei >> Date: Fri, 22 Feb 2013 10:34:02 +0800 >> Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc >> >> The function kimage_normal_alloc() has 2 allocation problems that may cause >> failures: >> >> 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will >> free the image but would still set 'rimage', as a result kexec_load will >> try to free it again. >> >> This would explode as part of the freeing process is accessing internal >> members which point to uninitialized memory. >> >> 2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it >> should call kimage_free_page_list() to free allocated pages in >> image->control_pages list before it frees image. >> >> Signed-off-by: Sasha Levin >> Signed-off-by: Zhang Yanfei >> --- >> kernel/kexec.c | 10 ++++++---- >> 1 files changed, 6 insertions(+), 4 deletions(-) >> >> diff --git a/kernel/kexec.c b/kernel/kexec.c >> index 5e4bd78..f219357 100644 >> --- a/kernel/kexec.c >> +++ b/kernel/kexec.c >> @@ -223,6 +223,8 @@ out: >> >> } >> >> +static void kimage_free_page_list(struct list_head *list); >> + >> static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, >> unsigned long nr_segments, >> struct kexec_segment __user *segments) >> @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, >> if (result) >> goto out; >> >> - *rimage = image; >> - >> /* >> * Find a location for the control code buffer, and add it >> * the vector of segments so that it's pages will also be >> @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, >> >> result = 0; >> out: >> - if (result == 0) >> + if (result == 0) { >> *rimage = image; >> - else >> + } else { >> + kimage_free_page_list(&image->control_pages); >> kfree(image); >> + } >> >> return result; >> } > > And if do_kimage_alloc() fails instead of kimage_alloc_control_pages() > you will NULL deref 'image', so now instead of leaking pages the kernel > will explode. Oh, I missed this. > > Either way, this issue you've pointed out should be fixed in a separate > patch. > > OK,I will send another patch. Thanks Zhang