Re: [efi:next 15/19] fs/efivarfs/super.c:180:7-11: ERROR: reference preceded by free on line 162

Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx> · Mon, 15 Aug 2016 15:54:12 +0100

On Tue, 09 Aug, at 02:02:39PM, Julia Lawall wrote:
> Possibility of a double free.
> 
> julia
> 
> ---------- Forwarded message ----------
> Date: Tue, 9 Aug 2016 19:58:20 +0800
> From: kbuild test robot <fengguang.wu@xxxxxxxxx>
> To: kbuild@xxxxxx
> Cc: Julia Lawall <julia.lawall@xxxxxxx>
> Subject: [efi:next 15/19] fs/efivarfs/super.c:180:7-11: ERROR: reference
>     preceded by free on line 162
> 
> CC: kbuild-all@xxxxxx
> CC: linux-efi@xxxxxxxxxxxxxxx
> TO: Sylvain Chouleur <sylvain.chouleur@xxxxxxxxx>
> CC: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
> CC: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> 
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git next
> head:   302c675f2c1f6a2426709695d6dfe8683cfc7bab
> commit: 0d22f33bc37ce1c9f10dd304bd335d6feb7796d1 [15/19] efi: Don't use spinlocks for efi vars
> :::::: branch date: 4 days ago
> :::::: commit date: 2 weeks ago
> 
> >> fs/efivarfs/super.c:180:7-11: ERROR: reference preceded by free on line 162
> 
> git remote add efi https://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git
> git remote update efi
> git checkout 0d22f33bc37ce1c9f10dd304bd335d6feb7796d1
> vim +180 fs/efivarfs/super.c
> 
> d68772b7 Matt Fleming     2013-02-08  156  	if (IS_ERR(dentry)) {
> d68772b7 Matt Fleming     2013-02-08  157  		err = PTR_ERR(dentry);
> d68772b7 Matt Fleming     2013-02-08  158  		goto fail_inode;
> d68772b7 Matt Fleming     2013-02-08  159  	}
> d68772b7 Matt Fleming     2013-02-08  160
> d68772b7 Matt Fleming     2013-02-08  161  	/* copied by the above to local storage in the dentry. */
> d68772b7 Matt Fleming     2013-02-08 @162  	kfree(name);
> d68772b7 Matt Fleming     2013-02-08  163
> d68772b7 Matt Fleming     2013-02-08  164  	efivar_entry_size(entry, &size);
> 0d22f33b Sylvain Chouleur 2016-07-15  165  	err = efivar_entry_add(entry, &efivarfs_list);
> 0d22f33b Sylvain Chouleur 2016-07-15  166  	if (err)
> 0d22f33b Sylvain Chouleur 2016-07-15  167  		goto fail_inode;
> d68772b7 Matt Fleming     2013-02-08  168
> 5955102c Al Viro          2016-01-22  169  	inode_lock(inode);
> d68772b7 Matt Fleming     2013-02-08  170  	inode->i_private = entry;
> d68772b7 Matt Fleming     2013-02-08  171  	i_size_write(inode, size + sizeof(entry->var.Attributes));
> 5955102c Al Viro          2016-01-22  172  	inode_unlock(inode);
> d68772b7 Matt Fleming     2013-02-08  173  	d_add(dentry, inode);
> d68772b7 Matt Fleming     2013-02-08  174
> d68772b7 Matt Fleming     2013-02-08  175  	return 0;
> d68772b7 Matt Fleming     2013-02-08  176
> d68772b7 Matt Fleming     2013-02-08  177  fail_inode:
> d68772b7 Matt Fleming     2013-02-08  178  	iput(inode);
> d68772b7 Matt Fleming     2013-02-08  179  fail_name:
> d68772b7 Matt Fleming     2013-02-08 @180  	kfree(name);
> d68772b7 Matt Fleming     2013-02-08  181  fail:
> d68772b7 Matt Fleming     2013-02-08  182  	kfree(entry);
> d68772b7 Matt Fleming     2013-02-08  183  	return err;
 
Indeed. How about this?

---

>From 403180deeb68ce6b78ac0e22c50dc6aa2003dab5 Mon Sep 17 00:00:00 2001
From: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Aug 2016 15:29:20 +0100
Subject: [PATCH] fs/efivarfs: Fix double kfree() in error path

Julia reported that we may double free 'name' in efivarfs_callback(),
and that this bug was introduced by commit 0d22f33bc37c ("efi: Don't
use spinlocks for efi vars").

Move one of the kfree()s until after the point at which we know we are
definitely on the success path.

Reported-by: Julia Lawall <julia.lawall@xxxxxxx>
Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
Cc: Sylvain Chouleur <sylvain.chouleur@xxxxxxxxx>
Signed-off-by: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
---
 fs/efivarfs/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index e48feb022d82..a0837453dc2c 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -158,14 +158,14 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor,
 		goto fail_inode;
 	}
 
-	/* copied by the above to local storage in the dentry. */
-	kfree(name);
-
 	efivar_entry_size(entry, &size);
 	err = efivar_entry_add(entry, &efivarfs_list);
 	if (err)
 		goto fail_inode;
 
+	/* copied by the above to local storage in the dentry. */
+	kfree(name);
+
 	inode_lock(inode);
 	inode->i_private = entry;
 	i_size_write(inode, size + sizeof(entry->var.Attributes));
-- 
2.7.3

--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






