| Message ID | 1565978422-9661-1-git-send-email-linux.bhar@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | dma-buf: Fix memory leak in dma_buf_set_name | expand |
On Fri, Aug 16, 2019 at 05:14:24PM -0300, Ezequiel Garcia wrote: > Hi Bharath, > > Thanks for taking the time to try to fix this report. > > However, this doesn't look right. > > On Fri, 2019-08-16 at 23:30 +0530, Bharath Vedartham wrote: > > This patch fixes a memory leak bug reported by syzbot. Link to the > > bug is given at [1]. > > > > A local variable name is used to hold the copied user buffer string > > using strndup_user. strndup_user allocates memory using > > kmalloc_track_caller in memdup_user. This kmalloc allocation needs to be > > followed by a kfree. > > > > This patch has been tested by a compile test. > > > > [1] https://syzkaller.appspot.com/bug?id=ce692a3aa13e00e335e090be7846c6eb60ddff7a > > > > Reported-by: syzbot+b2098bc44728a4efb3e9@syzkaller.appspotmail.com > > Signed-off-by: Bharath Vedartham <linux.bhar@gmail.com> > > --- > > drivers/dma-buf/dma-buf.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > > index f45bfb2..9798f6d 100644 > > --- a/drivers/dma-buf/dma-buf.c > > +++ b/drivers/dma-buf/dma-buf.c > > @@ -342,6 +342,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) > > } > > kfree(dmabuf->name); > > dmabuf->name = name; > > + kfree(name); > > > > Just by looking at this, you can deduce something is not right. > You are assigning "name" to dmabuf->name, but then releasing "name"! > > So now, dmabuf->name has free memory, which will lead to > user-after-free issues. > > Note also, that this function doesn't look leaky since the previous > "name" is freed, before setting a new one. > > Maybe the syzbot report is some kind of false positive? > > Also, I _strongly_ suggest that in the future you don't compile-test > only these kind of not trivial fixes. Since you are touching a crucial > part of the kernel here, you should really be testing properly. > > Specially since syzbot produces a reproducer. > > Consider compile test as something you do when your changes are > only cosmetic, and you are completely and absolutely sure things > will be OK. > > Thanks. > Ezequiel Hi Ezequiel, Thank you for taking the time to review this. I made a mistake here and thank you for notifying me of it. Thank you for your comments, I ll keep them in mind before sending patches to the kernel :) Thank you Bharath
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index f45bfb2..9798f6d 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -342,6 +342,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) } kfree(dmabuf->name); dmabuf->name = name; + kfree(name); out_unlock: mutex_unlock(&dmabuf->lock);
This patch fixes a memory leak bug reported by syzbot. Link to the bug is given at [1]. A local variable name is used to hold the copied user buffer string using strndup_user. strndup_user allocates memory using kmalloc_track_caller in memdup_user. This kmalloc allocation needs to be followed by a kfree. This patch has been tested by a compile test. [1] https://syzkaller.appspot.com/bug?id=ce692a3aa13e00e335e090be7846c6eb60ddff7a Reported-by: syzbot+b2098bc44728a4efb3e9@syzkaller.appspotmail.com Signed-off-by: Bharath Vedartham <linux.bhar@gmail.com> --- drivers/dma-buf/dma-buf.c | 1 + 1 file changed, 1 insertion(+)