[1/1] exec: Fix mem leak in kernel_read_file

Message ID	1551798872-28670-2-git-send-email-tyhicks@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Tyler Hicks <tyhicks@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1] exec: Fix mem leak in kernel_read_file Date: Tue, 5 Mar 2019 15:14:32 +0000 Message-Id: <1551798872-28670-2-git-send-email-tyhicks@canonical.com> In-Reply-To: <1551798872-28670-1-git-send-email-tyhicks@canonical.com> References: <1551798872-28670-1-git-send-email-tyhicks@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2019-8980 - VFS memory leak \| expand [0/1,SRU,B/C/D/Unstable] CVE-2019-8980 - VFS memory leak [1/1] exec: Fix mem leak in kernel_read_file

Message ID

1551798872-28670-2-git-send-email-tyhicks@canonical.com

State

New

Headers

From: Tyler Hicks <tyhicks@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/1] exec: Fix mem leak in kernel_read_file
Date: Tue,  5 Mar 2019 15:14:32 +0000
Message-Id: <1551798872-28670-2-git-send-email-tyhicks@canonical.com>
In-Reply-To: <1551798872-28670-1-git-send-email-tyhicks@canonical.com>
References: <1551798872-28670-1-git-send-email-tyhicks@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2019-8980 - VFS memory leak | expand

Commit Message

Tyler Hicks March 5, 2019, 3:14 p.m. UTC

From: YueHaibing <yuehaibing@huawei.com>

syzkaller report this:
BUG: memory leak
unreferenced object 0xffffc9000488d000 (size 9195520):
  comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
  hex dump (first 32 bytes):
    ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
    02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
  backtrace:
    [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
    [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
    [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
    [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
    [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
    [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
    [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
    [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000241f889b>] 0xffffffffffffffff

It should goto 'out_free' lable to free allocated buf while kernel_read
fails.

Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

CVE-2019-8980

(cherry picked from commit f612acfae86af7ecad754ae6a46019be9da05b8e)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 fs/exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Colin Ian King March 6, 2019, 8:54 a.m. UTC | #1

On 05/03/2019 15:14, Tyler Hicks wrote:
> From: YueHaibing <yuehaibing@huawei.com>
> 
> syzkaller report this:
> BUG: memory leak
> unreferenced object 0xffffc9000488d000 (size 9195520):
>   comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
>   hex dump (first 32 bytes):
>     ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
>     02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
>   backtrace:
>     [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
>     [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
>     [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
>     [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
>     [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
>     [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
>     [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
>     [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
>     [<00000000241f889b>] 0xffffffffffffffff
> 
> It should goto 'out_free' lable to free allocated buf while kernel_read
> fails.
> 
> Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> 
> CVE-2019-8980
> 
> (cherry picked from commit f612acfae86af7ecad754ae6a46019be9da05b8e)
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
> ---
>  fs/exec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index b9fd9abac832..d0099d6f434b 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -941,7 +941,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
>  		bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
>  		if (bytes < 0) {
>  			ret = bytes;
> -			goto out;
> +			goto out_free;
>  		}
>  
>  		if (bytes == 0)
> 

Acked-by: Colin Ian King <colin.king@canonical.com>

diff --git a/fs/exec.c b/fs/exec.c
index b9fd9abac832..d0099d6f434b 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -941,7 +941,7 @@  int kernel_read_file(struct file *file, void **buf, loff_t *size,
 		bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
 		if (bytes < 0) {
 			ret = bytes;
-			goto out;
+			goto out_free;
 		}
 
 		if (bytes == 0)

[1/1] exec: Fix mem leak in kernel_read_file

Commit Message

Comments

Patch