From: Danny Feng <dfeng@redhat.com>
To: Paul Moore <paul.moore@hp.com>
Cc: jmorris@namei.org, eparis@parisplace.org, sds@tycho.nsa.gov,
serue@us.ibm.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] selinux: fix memory leak in sel_make_bools
Date: Fri, 14 Aug 2009 10:00:58 +0800 [thread overview]
Message-ID: <4A84C55A.40300@redhat.com> (raw)
In-Reply-To: <200908131455.15381.paul.moore@hp.com>
On 08/14/2009 02:55 AM, Paul Moore wrote:
> On Thursday 13 August 2009 04:26:16 am Xiaotian Feng wrote:
>> In sel_make_bools, kernel allocates memory for bool_pending_names[i]
>> with security_get_bools. So if we just free bool_pending_names, those
>> memories for bool_pending_names[i] will be leaked.
>>
>> This patch resolves dozens of following kmemleak report after resuming
>> from suspend:
>> unreferenced object 0xffff88022e4c7380 (size 32):
>> comm "init", pid 1, jiffies 4294677173
>> backtrace:
>> [<ffffffff810f76b5>] create_object+0x1a2/0x2a9
>> [<ffffffff810f78bb>] kmemleak_alloc+0x26/0x4b
>> [<ffffffff810ef3eb>] __kmalloc+0x18f/0x1b8
>> [<ffffffff811cd511>] security_get_bools+0xd7/0x16f
>> [<ffffffff811c48c0>] sel_write_load+0x12e/0x62b
>> [<ffffffff810f9a39>] vfs_write+0xae/0x10b
>> [<ffffffff810f9b56>] sys_write+0x4a/0x6e
>> [<ffffffff81011b82>] system_call_fastpath+0x16/0x1b
>> [<ffffffffffffffff>] 0xffffffffffffffff
>>
>> Signed-off-by: Xiaotian Feng<dfeng@redhat.com>
>> ---
>> security/selinux/selinuxfs.c | 6 +++++-
>> 1 files changed, 5 insertions(+), 1 deletions(-)
>>
>> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
>> index b4fc506..ab93472 100644
>> --- a/security/selinux/selinuxfs.c
>> +++ b/security/selinux/selinuxfs.c
>> @@ -979,7 +979,11 @@ static int sel_make_bools(void)
>> u32 sid;
>>
>> /* remove any existing files */
>> - kfree(bool_pending_names);
>> + if (bool_pending_names) {
>> + for (i = 0; i< bool_num; i++)
>> + kfree(bool_pending_names[i]);
>> + kfree(bool_pending_names);
>> + }
>> kfree(bool_pending_values);
>> bool_pending_names = NULL;
>> bool_pending_values = NULL;
>
> Since the code seems to rely on 'bool_num' in other places to ensure we don't
> walk off the end of the array it is probably safe to omit the 'if
> (bool_pending_names) ...' conditional and just rely on the for loop to do the
> right thing.
Thanks for point out, I'll resend V2 patch :-)
next prev parent reply other threads:[~2009-08-14 2:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-13 8:26 [PATCH] selinux: fix memory leak in sel_make_bools Xiaotian Feng
2009-08-13 18:55 ` Paul Moore
2009-08-14 2:00 ` Danny Feng [this message]
2009-08-14 2:02 ` [PATCH V2] " Xiaotian Feng
2009-08-14 2:36 ` Serge E. Hallyn
2009-08-14 6:06 ` James Morris
2010-02-08 10:59 ` Xiaotian Feng
2010-02-08 21:24 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A84C55A.40300@redhat.com \
--to=dfeng@redhat.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox