From: Jesper Juhl <jesper.juhl@gmail.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: David Airlie <airlied@linux.ie>, Jesper Juhl <jesper.juhl@gmail.com>
Subject: [PATCH] Fix "use after free" / "double free" bug in amd_create_gatt_pages / amd_free_gatt_pages
Date: Thu, 19 Jul 2007 00:14:30 +0200 [thread overview]
Message-ID: <200707190014.30235.jesper.juhl@gmail.com> (raw)
Hi,
Coverity spotted a "use after free" bug in
drivers/char/agp/amd-k7-agp.c::amd_create_gatt_pages().
The problem is this:
If "entry = kzalloc(sizeof(struct amd_page_map), GFP_KERNEL);"
fails, then there's a loop in the function to free all entries
allocated so far and break out of the allocation loop. That in itself
is pretty sane, but then the (now freed) 'tables' is assigned to
amd_irongate_private.gatt_pages and 'retval' is set to -ENOMEM which
causes amd_free_gatt_pages(); to be called at the end of the function.
The problem with this is that amd_free_gatt_pages() will then loop
'amd_irongate_private.num_tables' times and try to free each entry in
tables[] - this is bad since tables has already been freed and
furthermore it will call kfree(tables) at the end - a double free.
This patch removes the freeing loop in amd_create_gatt_pages() and
instead relies entirely on the call to amd_free_gatt_pages() to free
everything we allocated in case of an error. It also sets
amd_irongate_private.num_tables to the actual number of entries
allocated instead of just using the value passed in from the caller -
this ensures that amd_free_gatt_pages() will only attempt to free
stuff that was actually allocated.
Note: I'm in no way intimate with this code and I have no way to
actually test this patch (besides compile test it), so while I've
tried to be careful in reading the code and make sure the patch
does the right thing an ACK from someone who actually knows the
code in-depth would be very much appreciated.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---
drivers/char/agp/amd-k7-agp.c | 9 ++-------
1 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/char/agp/amd-k7-agp.c b/drivers/char/agp/amd-k7-agp.c
index df0ddf1..56d9c4b 100644
--- a/drivers/char/agp/amd-k7-agp.c
+++ b/drivers/char/agp/amd-k7-agp.c
@@ -100,21 +100,16 @@ static int amd_create_gatt_pages(int nr_tables)
for (i = 0; i < nr_tables; i++) {
entry = kzalloc(sizeof(struct amd_page_map), GFP_KERNEL);
+ tables[i] = entry;
if (entry == NULL) {
- while (i > 0) {
- kfree(tables[i-1]);
- i--;
- }
- kfree(tables);
retval = -ENOMEM;
break;
}
- tables[i] = entry;
retval = amd_create_page_map(entry);
if (retval != 0)
break;
}
- amd_irongate_private.num_tables = nr_tables;
+ amd_irongate_private.num_tables = i;
amd_irongate_private.gatt_pages = tables;
if (retval != 0)
reply other threads:[~2007-07-18 22:15 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200707190014.30235.jesper.juhl@gmail.com \
--to=jesper.juhl@gmail.com \
--cc=airlied@linux.ie \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox