[-next] sysctl: fix memleak in proc_sys_call_handler()
diff mbox series

Message ID 20200804154503.3863200-1-yangyingliang@huawei.com
State New
Headers show
Series
  • [-next] sysctl: fix memleak in proc_sys_call_handler()
Related show

Commit Message

Yang Yingliang Aug. 4, 2020, 3:45 p.m. UTC
I got a memleak report when doing some fuzz test:

BUG: memory leak
unreferenced object 0xffff888103f3da00 (size 64):
comm "syz-executor.0", pid 2270, jiffies 4295404698 (age 46.593s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000004f2c0607>] kmalloc include/linux/slab.h:559 [inline]
[<000000004f2c0607>] kzalloc include/linux/slab.h:666 [inline]
[<000000004f2c0607>] proc_sys_call_handler+0x1d4/0x480 fs/proc/proc_sysctl.c:574
[<000000005ec6a16b>] call_write_iter include/linux/fs.h:1876 [inline]
[<000000005ec6a16b>] new_sync_write+0x3c5/0x5b0 fs/read_write.c:515
[<00000000bbeebb83>] vfs_write+0x4e8/0x670 fs/read_write.c:595
[<000000009d967c93>] ksys_write+0x10c/0x220 fs/read_write.c:648
[<00000000139f6002>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
[<00000000b7d61f44>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Go to free buff when copy_from_iter_full() is failed.

Fixes: 1dea05cbc0d7 ("sysctl: Convert to iter interfaces")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 fs/proc/proc_sysctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Luis Chamberlain Aug. 13, 2020, 4:49 p.m. UTC | #1
On Tue, Aug 04, 2020 at 03:45:03PM +0000, Yang Yingliang wrote:
> I got a memleak report when doing some fuzz test:
> 
> BUG: memory leak
> unreferenced object 0xffff888103f3da00 (size 64):
> comm "syz-executor.0", pid 2270, jiffies 4295404698 (age 46.593s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<000000004f2c0607>] kmalloc include/linux/slab.h:559 [inline]
> [<000000004f2c0607>] kzalloc include/linux/slab.h:666 [inline]
> [<000000004f2c0607>] proc_sys_call_handler+0x1d4/0x480 fs/proc/proc_sysctl.c:574
> [<000000005ec6a16b>] call_write_iter include/linux/fs.h:1876 [inline]
> [<000000005ec6a16b>] new_sync_write+0x3c5/0x5b0 fs/read_write.c:515
> [<00000000bbeebb83>] vfs_write+0x4e8/0x670 fs/read_write.c:595
> [<000000009d967c93>] ksys_write+0x10c/0x220 fs/read_write.c:648
> [<00000000139f6002>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
> [<00000000b7d61f44>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Go to free buff when copy_from_iter_full() is failed.
> 
> Fixes: 1dea05cbc0d7 ("sysctl: Convert to iter interfaces")
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

Acked-by: Luis Chamberlain <mcgrof@kernel.org>

Good catch.

  Luis
> ---
>  fs/proc/proc_sysctl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 9f6b9c3e3fda..a4a3122f8a58 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -578,7 +578,7 @@ static ssize_t proc_sys_call_handler(struct kiocb *iocb, struct iov_iter *iter,
>  	if (write) {
>  		error = -EFAULT;
>  		if (!copy_from_iter_full(kbuf, count, iter))
> -			goto out;
> +			goto out_free_buf;
>  		kbuf[count] = '\0';
>  	}
>  
> -- 
> 2.25.1
>

Patch
diff mbox series

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 9f6b9c3e3fda..a4a3122f8a58 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -578,7 +578,7 @@  static ssize_t proc_sys_call_handler(struct kiocb *iocb, struct iov_iter *iter,
 	if (write) {
 		error = -EFAULT;
 		if (!copy_from_iter_full(kbuf, count, iter))
-			goto out;
+			goto out_free_buf;
 		kbuf[count] = '\0';
 	}