If count argument in copy_fd_bitmaps() is not a multiple of BITS_PER_BYTE, then one byte is lost and is not used in further manipulations with cpy value in memcpy() and memset() causing a leak. The leak was introduced with close_range() call using CLOSE_RANGE_UNSHARE flag. The patch suggests implementing an indicator (named add_byte) of count being multiple of BITS_PER_BYTE and adding it to the cpy value. Found by Syzkaller (https://github.com/google/syzkaller). Signed-off-by: Fedor Pchelkin <aissur0002@xxxxxxxxx> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx> --- fs/file.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/fs/file.c b/fs/file.c index 3ef1479df203..3c64a6423604 100644 --- a/fs/file.c +++ b/fs/file.c @@ -56,10 +56,8 @@ static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt, { unsigned int cpy, set; unsigned int add_byte = 0; - if (count % BITS_PER_BYTE != 0) add_byte = 1; - cpy = count / BITS_PER_BYTE + add_byte; set = (nfdt->max_fds - count) / BITS_PER_BYTE; memcpy(nfdt->open_fds, ofdt->open_fds, cpy); -- 2.25.1
