Re: [PATCH] pidfd: fix memory leak in pidfd_getfd()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
Cc: christian@brauner.io, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] pidfd: fix memory leak in pidfd_getfd()
Date: Mon, 6 Jul 2020 08:38:10 -0700	[thread overview]
Message-ID: <202007060834.5D4F78BF8A@keescook> (raw)
In-Reply-To: <20200706125250.GA2828@cosmos>

Note: please review recent commit history for bug fixes like this -- I
introduced this bug. :)

On Mon, Jul 06, 2020 at 06:22:55PM +0530, Vamshi K Sthambamkadi wrote:
> kmemleak backtrace:
> 
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2  ..............o.
>     b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
>     [<8ff6a575>] __alloc_file+0x1e/0xe0
>     [<e1479798>] alloc_empty_file+0x45/0x100
>     [<727fe6eb>] alloc_file+0x23/0xf0
>     [<457148ef>] alloc_file_pseudo+0x98/0x100
>     [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
>     [<5edc3e9b>] shmem_file_setup+0x4c/0x70
>     [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
>     [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
>     [<62569441>] do_fast_syscall_32+0x39/0xb0
>     [<3c515b7e>] do_SYSENTER_32+0x15/0x20
>     [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
> 
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
>   hex dump (first 16 bytes):
>     01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
>     [<b67faec5>] security_file_alloc+0x20/0x90
>     [<ed849d41>] __alloc_file+0x40/0xe0
>     [<e1479798>] alloc_empty_file+0x45/0x100
>     [<727fe6eb>] alloc_file+0x23/0xf0
>     [<457148ef>] alloc_file_pseudo+0x98/0x100
>     [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
>     [<5edc3e9b>] shmem_file_setup+0x4c/0x70
>     [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
>     [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
>     [<62569441>] do_fast_syscall_32+0x39/0xb0
>     [<3c515b7e>] do_SYSENTER_32+0x15/0x20
>     [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
> 
> This is because in pidfd_getfd(), the file->f_count is incremented twice
> 1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files()
> 2) f_count is incremented While installing fd in __fd_install_received()
>    i.e. get_file().
> 
> Memory leak occurs because the refs count do not match, the struct file
> object is never freed.
> 
> Secondly the error validity check (ret < 0) after the call to
> fd_install_received() is not needed since this function cannot return
> negative number after incrementing f_count. So it is wrong to call fput
> on condition (ret < 0).
> 
> Change pidfd_getfd() to call fput() on file reference once its installed
> as new_fd in target process.
> 
> Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>

Thanks! I'll get this fixed.

-Kees

> ---
>  kernel/pid.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/pid.c b/kernel/pid.c
> index 5799ae5..d00139c 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -653,8 +653,8 @@ static int pidfd_getfd(struct pid *pid, int fd)
>  		return PTR_ERR(file);
>  
>  	ret = fd_install_received(file, O_CLOEXEC);
> -	if (ret < 0)
> -		fput(file);
> +
> +	fput(file);
>  	return ret;
>  }
>  
> -- 
> 2.7.4
> 

-- 
Kees Cook

     prev parent reply	other threads:[~2020-07-06 15:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-06 12:52 [PATCH] pidfd: fix memory leak in pidfd_getfd() Vamshi K Sthambamkadi
2020-07-06 12:58 ` Christian Brauner
2020-07-06 15:38 ` Kees Cook [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202007060834.5D4F78BF8A@keescook \
    --to=keescook@chromium.org \
    --cc=christian@brauner.io \
    --cc=linux-kernel@vger.kernel.org \
    --cc=vamshi.k.sthambamkadi@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox