On Tue, Aug 16, 2016 at 02:34:15PM -0400, Robert Foss wrote:
> On 2016-08-16 02:18 PM, Jann Horn wrote:
> >On Tue, Aug 16, 2016 at 01:34:14PM -0400, robert.foss@xxxxxxxxxxxxx wrote:
> >>+ }
> >>+
> >>+ return 0;
> >>+
> >>+error:
> >>+ return ret;
> >>+}
> >>+
> >[...]
> >>+const struct file_operations proc_totmaps_operations = {
> >>+ .open = totmaps_open,
> >>+ .read = seq_read,
> >>+ .llseek = seq_lseek,
> >>+ .release = proc_map_release,
> >>+};
> >
> >As I said regarding v2 already:
> >This won't release priv->task, causing a memory leak (exploitable
> >through a reference counter overflow of the task_struct usage
> >counter).
>
> Sorry about dropping the ball on that one, what's correct way to release
> priv->task?
get_proc_task() does get_pid_task(), which does get_task_struct(), which
increments the ->usage field of the task. You want the inverse
operation - something that decrements ->usage and checks for zero. This is
done via put_task_struct(), which is defined a few lines below
get_task_struct().
Attachment:
signature.asc
Description: Digital signature
