| Message ID | 1478774822-48114-1-git-send-email-himanshu.sh@samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 11/10/2016 2:47 AM, Himanshu Shukla wrote: > Memory leak in smack_cred_prepare()function. > smack_cred_prepare() hook returns error if there is error in allocating > memory in smk_copy_rules() or smk_copy_relabel() function. > If smack_cred_prepare() function returns error then the calling > function should call smack_cred_free() function for cleanup. > In smack_cred_free() function first credential is extracted and > then all rules are deleted. In smack_cred_prepare() function security > field is assigned in the end when all function return success. But this > function may return before and memory will not be freed. > > Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Applied to git://github.com/cschaufler/smack-next.git#smack-for-4.10 > --- > security/smack/smack_lsm.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index 1cb0602..f766fbf 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -2023,6 +2023,8 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, > if (new_tsp == NULL) > return -ENOMEM; > > + new->security = new_tsp; > + > rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); > if (rc != 0) > return rc; > @@ -2032,7 +2034,6 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, > if (rc != 0) > return rc; > > - new->security = new_tsp; > return 0; > } > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1cb0602..f766fbf 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2023,6 +2023,8 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, if (new_tsp == NULL) return -ENOMEM; + new->security = new_tsp; + rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); if (rc != 0) return rc; @@ -2032,7 +2034,6 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, if (rc != 0) return rc; - new->security = new_tsp; return 0; }
Memory leak in smack_cred_prepare()function. smack_cred_prepare() hook returns error if there is error in allocating memory in smk_copy_rules() or smk_copy_relabel() function. If smack_cred_prepare() function returns error then the calling function should call smack_cred_free() function for cleanup. In smack_cred_free() function first credential is extracted and then all rules are deleted. In smack_cred_prepare() function security field is assigned in the end when all function return success. But this function may return before and memory will not be freed. Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> --- security/smack/smack_lsm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)