[36/99] param: fix lots of bugs with writing charp params from sysfs, by leaking mem.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Sitsofe Wheeler <sitsofe@yahoo.com>,
	Frederic Weisbecker <fweisbec@gmail.com>,
	Christof Schmitt <christof.schmitt@de.ibm.com>,
	Rusty Russell <rusty@rustcorp.com.au>
Subject: [36/99] param: fix lots of bugs with writing charp params from sysfs, by leaking mem.
Date: Fri, 06 Nov 2009 14:14:34 -0800	[thread overview]
Message-ID: <20091106221543.453166367@mini.kroah.org> (raw)
In-Reply-To: <20091106221850.GA15408@kroah.com>

[-- Attachment #1: param-fix-lots-of-bugs-with-writing-charp-params-from-sysfs-by-leaking-mem.patch --]
[-- Type: text/plain, Size: 2626 bytes --]

2.6.31-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Rusty Russell <rusty@rustcorp.com.au>

commit 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef upstream.

e180a6b7759a "param: fix charp parameters set via sysfs" fixed the case
where charp parameters written via sysfs were freed, leaving drivers
accessing random memory.

Unfortunately, storing a flag in the kparam struct was a bad idea: it's
rodata so setting it causes an oops on some archs.  But that's not all:

1) module_param_array() on charp doesn't work reliably, since we use an
   uninitialized temporary struct kernel_param.
2) there's a fundamental race if a module uses this parameter and then
   it's changed: they will still access the old, freed, memory.

The simplest fix (ie. for 2.6.32) is to never free the memory.  This
prevents all these problems, at cost of a memory leak.  In practice, there
are only 18 places where a charp is writable via sysfs, and all are
root-only writable.

Reported-by: Takashi Iwai <tiwai@suse.de>
Cc: Sitsofe Wheeler <sitsofe@yahoo.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Christof Schmitt <christof.schmitt@de.ibm.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 include/linux/moduleparam.h |    1 -
 kernel/params.c             |   10 +---------
 2 files changed, 1 insertion(+), 10 deletions(-)

--- a/include/linux/moduleparam.h
+++ b/include/linux/moduleparam.h
@@ -37,7 +37,6 @@ typedef int (*param_set_fn)(const char *
 typedef int (*param_get_fn)(char *buffer, struct kernel_param *kp);
 
 /* Flag bits for kernel_param.flags */
-#define KPARAM_KMALLOCED	1
 #define KPARAM_ISBOOL		2
 
 struct kernel_param {
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -217,13 +217,9 @@ int param_set_charp(const char *val, str
 		return -ENOSPC;
 	}
 
-	if (kp->flags & KPARAM_KMALLOCED)
-		kfree(*(char **)kp->arg);
-
 	/* This is a hack.  We can't need to strdup in early boot, and we
 	 * don't need to; this mangled commandline is preserved. */
 	if (slab_is_available()) {
-		kp->flags |= KPARAM_KMALLOCED;
 		*(char **)kp->arg = kstrdup(val, GFP_KERNEL);
 		if (!kp->arg)
 			return -ENOMEM;
@@ -604,11 +600,7 @@ void module_param_sysfs_remove(struct mo
 
 void destroy_params(const struct kernel_param *params, unsigned num)
 {
-	unsigned int i;
-
-	for (i = 0; i < num; i++)
-		if (params[i].flags & KPARAM_KMALLOCED)
-			kfree(*(char **)params[i].arg);
+	/* FIXME: This should free kmalloced charp parameters.  It doesn't. */
 }
 
 static void __init kernel_add_sysfs_param(const char *name,

next prev parent reply	other threads:[~2009-11-06 22:22 UTC|newest]

Thread overview: 104+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20091106221358.309857998@mini.kroah.org>
2009-11-06 22:18 ` [00/99] 2.6.31.6 stable review Greg KH
2009-11-06 22:13   ` [01/99] fs: pipe.c null pointer dereference Greg KH
2009-11-06 22:14   ` [02/99] pci: increase alignment to make more space for hidden code Greg KH
2009-11-06 22:14   ` [03/99] libata: fix internal command failure handling Greg KH
2009-11-06 22:14   ` [04/99] libata: fix PMP initialization Greg KH
2009-11-06 22:14   ` [05/99] sata_nv: make sure link is brough up online when skipping hardreset Greg KH
2009-11-06 22:14   ` [06/99] nfs: Fix nfs_parse_mount_options() kfree() leak Greg KH
2009-11-06 22:14   ` [07/99] KVM: use proper hrtimer function to retrieve expiration time Greg KH
2009-11-06 22:14   ` [08/99] KVM: ignore reads from AMDs C1E enabled MSR Greg KH
2009-11-06 22:14   ` [09/99] futex: Handle spurious wake up Greg KH
2009-11-06 22:14   ` [10/99] futex: Check for NULL keys in match_futex Greg KH
2009-11-06 22:14   ` [11/99] futex: Move drop_futex_key_refs out of spinlocked region Greg KH
2009-11-06 22:14   ` [12/99] futex: Fix spurious wakeup for requeue_pi really Greg KH
2009-11-06 22:14   ` [13/99] ahci: revert "Restore SB600 sata controller 64 bit DMA" Greg KH
2009-11-06 22:14   ` [14/99] sparc64: Set IRQF_DISABLED on LDC channel IRQs Greg KH
2009-11-06 22:14   ` [15/99] sparc: Kill PROM console driver Greg KH
2009-11-06 22:14   ` [16/99] watchdog: Fix rio watchdog probe function Greg KH
2009-11-06 22:14   ` [17/99] Input: synaptics - add another Protege M300 to rate blacklist Greg KH
2009-11-06 22:14   ` [18/99] dm snapshot: free exception store on init failure Greg KH
2009-11-06 22:14   ` [19/99] dm snapshot: sort by chunk size to fix race Greg KH
2009-11-06 22:14   ` [20/99] dm log: userspace fix incorrect luid cast in userspace_ctr Greg KH
2009-11-06 22:14   ` [21/99] dm: add missing del_gendisk to alloc_dev error path Greg KH
2009-11-06 22:14   ` [22/99] dm: dec_pending needs locking to save error value Greg KH
2009-11-06 22:14   ` [23/99] dm exception store: fix failed set_chunk_size error path Greg KH
2009-11-06 22:14   ` [24/99] dm snapshot: lock snapshot while supplying status Greg KH
2009-11-06 22:14   ` [25/99] dm snapshot: require non zero chunk size by end of ctr Greg KH
2009-11-06 22:14   ` [26/99] dm snapshot: use unsigned integer chunk size Greg KH
2009-11-06 22:14   ` [27/99] ray_cs: Fix copy_from_user handling Greg KH
2009-11-06 22:14   ` [28/99] mbind(): fix leak of never putback pages Greg KH
2009-11-06 22:14   ` [29/99] do_mbind(): fix memory leak Greg KH
2009-11-06 22:14   ` [30/99] 8250_pci: add IBM Saturn serial card Greg KH
2009-11-06 22:14   ` [31/99] dpt_i2o: Fix up copy*user Greg KH
2009-11-06 22:14   ` [32/99] dpt_i2o: Fix typo of EINVAL Greg KH
2009-11-06 22:14   ` [33/99] hfsplus: refuse to mount volumes larger than 2TB Greg KH
2009-11-06 22:14   ` [34/99] Driver core: fix driver_register() return value Greg KH
2009-11-06 22:14   ` [35/99] tty: Mark generic_serial users as BROKEN Greg KH
2009-11-06 22:14   ` Greg KH [this message]
2009-11-06 22:14   ` [37/99] param: fix NULL comparison on oom Greg KH
2009-11-06 22:14   ` [38/99] param: fix setting arrays of bool Greg KH
2009-11-06 22:14   ` [39/99] USB: serial: sierra driver send_setup() autopm fix Greg KH
2009-11-06 22:14   ` [40/99] USB: option: Patch for Huawei Mobile Broadband E270+ Modem Greg KH
2009-11-06 22:14   ` [41/99] USB: option: Support for AIRPLUS MCD650 Datacard Greg KH
2009-11-06 22:14   ` [42/99] USB: option: TLAYTECH TUE800 support Greg KH
2009-11-06 22:14   ` [43/99] libertas if_usb: Fix crash on 64-bit machines Greg KH
2009-11-06 22:14   ` [44/99] cpuidle: always return with interrupts enabled Greg KH
2009-11-06 22:14   ` [45/99] virtio: order used ring after used index read Greg KH
2009-11-06 22:14   ` [46/99] CIFS: Fixing to avoid invalid kfree() in cifs_get_tcp_session() Greg KH
2009-11-06 22:14   ` [47/99] mac80211: fix for incorrect sequence number on hostapd injected frames Greg KH
2009-11-06 22:14   ` [48/99] mac80211: check interface is down before type change Greg KH
2009-11-06 22:14   ` [49/99] x86, UV: Fix information in __uv_hub_info structure Greg KH
2009-11-06 22:14   ` [50/99] x86, UV: Set DELIVERY_MODE=4 for vector=NMI_VECTOR in uv_hub_send_ipi() Greg KH
2009-11-06 22:14   ` [51/99] NOMMU: Dont pass NULL pointers to fput() in do_mmap_pgoff() Greg KH
2009-11-06 22:14   ` [52/99] mm: remove incorrect swap_count() from try_to_unuse() Greg KH
2009-11-06 22:14   ` [53/99] x86-64: Fix register leak in 32-bit syscall audting Greg KH
2009-11-06 22:14   ` [54/99] nilfs2: fix dirty page accounting leak causing hang at write Greg KH
2009-11-06 22:14   ` [55/99] drm/i915: Fix FDI M/N setting according with correct color depth Greg KH
2009-11-06 22:14   ` [56/99] drm/i915: fix to setup display reference clock control on Ironlake Greg KH
2009-11-06 22:14   ` [57/99] drm/i915: fix panel fitting filter coefficient select for Ironlake Greg KH
2009-11-06 22:14   ` [58/99] agp/intel: Add B43 chipset support Greg KH
2009-11-06 22:14   ` [59/99] drm/i915: add " Greg KH
2009-11-06 22:14   ` [60/99] xen/hvc: make sure console output is always emitted, with explicit polling Greg KH
2009-11-06 22:14   ` [61/99] xen: mask extended topology info in cpuid Greg KH
2009-11-06 22:15   ` [62/99] sgi-gru: decrapfiy options_write() function Greg KH
2009-11-06 22:15   ` [63/99] KVM: get_tss_base_addr() should return a gpa_t Greg KH
2009-11-06 22:15   ` [64/99] fuse: prevent fuse_put_request on invalid pointer Greg KH
2009-11-06 22:15   ` [65/99] fuse: fix kunmap in fuse_ioctl_copy_user Greg KH
2009-11-06 22:15   ` [66/99] x86/amd-iommu: Workaround for erratum 63 Greg KH
2009-11-06 22:15   ` [67/99] fsnotify: do not set group for a mark before it is on the i_list Greg KH
2009-11-06 22:15   ` [68/99] mips: fix build of vmlinux.lds Greg KH
2009-11-06 22:15   ` [69/99] alpha: fix build after vmlinux.lds.S cleanup Greg KH
2009-11-06 22:15   ` [70/99] ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2) Greg KH
2009-11-06 22:15   ` [71/99] Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" Greg KH
2009-11-06 22:15   ` [72/99] KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases Greg KH
2009-11-06 22:15   ` [73/99] b43: Fix Bugzilla #14181 and the bug from the previous fix Greg KH
2009-11-06 22:15   ` [74/99] pata_sc1200: Fix crash on boot Greg KH
2009-11-06 22:15   ` [75/99] AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621) Greg KH
2009-11-06 22:15   ` [76/99] ALSA: ice1724 - Make call to set hw params succeed on ESI Juli@ Greg KH
2009-11-06 22:15   ` [77/99] bonding: fix a race condition in calls to slave MII ioctls Greg KH
2009-11-06 22:15   ` [78/99] hwmon: (it87) Fix VID reading on IT8718F/IT8720F Greg KH
2009-11-07 15:37     ` [Stable-review] " Willy Tarreau
2009-11-07 17:52       ` Jean Delvare
2009-11-06 22:15   ` [79/99] netlink: fix typo in initialization (CVE-2009-3612) Greg KH
2009-11-06 22:15   ` [80/99] nfs: Avoid overrun when copying client IP address string Greg KH
2009-11-06 22:15   ` [81/99] nfs: Panic when commit fails Greg KH
2009-11-06 22:15   ` [82/99] NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE Greg KH
2009-11-06 22:15   ` [83/99] NFSv4: Fix two unbalanced put_rpccred() issues Greg KH
2009-11-06 22:15   ` [84/99] NFSv4: Kill nfs4_renewd_prepare_shutdown() Greg KH
2009-11-06 22:15   ` [85/99] NFSv4: The link() operation should return any delegation on the file Greg KH
2009-11-06 22:15   ` [86/99] powerpc: Remove SMP warning from PowerMac cpufreq Greg KH
2009-11-06 22:15   ` [87/99] vmscan: limit VM_EXEC protection to file pages Greg KH
2009-11-06 22:15   ` [88/99] x86: mce: Clean up thermal throttling state tracking code Greg KH
2009-11-06 22:15   ` [89/99] x86: mce: Fix thermal throttling message storm Greg KH
2009-11-06 22:15   ` [90/99] iwlwifi: fix potential rx buffer loss Greg KH
2009-11-06 22:15   ` [91/99] iwlwifi: reduce noise when skb allocation fails Greg KH
2009-11-06 22:15   ` [92/99] x86/amd-iommu: Un__init function required on shutdown Greg KH
2009-11-06 22:15   ` [93/99] KVM: Prevent kvm_init from corrupting debugfs structures Greg KH
2009-11-06 22:15   ` [94/99] powerpc/pmac: Fix PowerSurge SMP IPI allocation Greg KH
2009-11-06 22:15   ` [95/99] powerpc/pmac: Fix issues with sleep on some powerbooks Greg KH
2009-11-06 22:15   ` [96/99] powerpc/pci: Fix regression in powerpc MSI-X Greg KH
2009-11-06 22:15   ` [97/99] powerpc: Fix some late PowerMac G5 with PCIe ATI graphics Greg KH
2009-11-06 22:15   ` [98/99] sata_via: Remove redundant device ID for VIA VT8261 Greg KH
2009-11-06 22:15   ` [99/99] pata_via: extend the rev_max for VT6330 Greg KH
2009-11-07 18:43   ` [00/99] 2.6.31.6 stable review Rafael J. Wysocki
2009-11-09 17:25     ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091106221543.453166367@mini.kroah.org \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=christof.schmitt@de.ibm.com \
    --cc=fweisbec@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rusty@rustcorp.com.au \
    --cc=sitsofe@yahoo.com \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox