Re: [PATCH] SUNRPC: fix a memleak in gss_import_v2_context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote:
> > The ctx->mech_used.data allocated by kmemdup is not freed in neither
> > gss_import_v2_context nor it only caller radeon_driver_open_kms.
> > Thus, this patch reform the last call of gss_import_v2_context to the
> > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
> > formation.
> > 
> > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
> > Signed-off-by: Zhipeng Lu <alexious@xxxxxxxxxx>
> > ---
> >  net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
> >  1 file changed, 8 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > index e31cfdf7eadc..1e54bd63e3f0 100644
> > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> >  	u64 seq_send64;
> >  	int keylen;
> >  	u32 time32;
> > +	int ret;
> >  
> >  	p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
> >  	if (IS_ERR(p))
> > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> >  	}
> >  	ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
> >  
> > -	return gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > +	ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
> > +	if (ret) {
> > +		p = ERR_PTR(ret);
> > +		goto out_free;
> > +	};
> >  
> > +out_free:
> > +	kfree(ctx->mech_used.data);
> 
> If the caller's error flow does not invoke
> gss_krb5_delete_sec_context(), then I would expect more than just
> mech_used.data would be leaked. What if, instead, you changed
> gss_krb5_import_sec_context() like this (untested):
> 
> 471         ret = gss_import_v2_context(p, end, ctx, gfp_mask);
> 472         memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
> 473         if (ret) {      
>    -                kfree(ctx);                      
>    +                gss_krb5_delete_sec_context(ctx);
> 475                 return ret;
> 476         }    
> 
> Obviously you would need to add a forward declaration of
> gss_krb5_import_sec_context() to make this compile. The question
> is whether gss_krb5_delete_sec_context() will deal with a partially-
> initialized @ctx.

Since the ctx is allocated just in gss_krb5_import_sec_context, 
together with that all of gss_krb5_import_sec_context, gss_import_v2_context(with this patch)
and gss_krb5_import_ctx_v2 are allocation-free balanced. It seems that we don't need to 
release anything else by invoking gss_krb5_delete_sec_context.

If I miss something leaked, please let me know.


> 
> How did you find this leak, and what kind of testing was done to
> confirm the fix is safe?

I found this memleak by static analysis. 
The safety issue can't be solved by automatic tools as far as I know.
So I check patches manuelly before sending patches.

> >  out_err:
> >  	return PTR_ERR(p);
> >  }
> > -- 
> > 2.34.1
> > 
> 
> -- 
> Chuck Lever




[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux