Patchwork [net] xfrm: fix freed block size calculation in xfrm_policy_fini()

login
register
mail settings
Submitter Michal Kubeček
Date Jan. 18, 2013, 3:03 p.m.
Message ID <20130118153446.3AE05C1AFE@unicorn.suse.cz>
Download mbox | patch
Permalink /patch/213643/
State Awaiting Upstream
Delegated to: David Miller
Headers show

Comments

Michal Kubeček - Jan. 18, 2013, 3:03 p.m.
Missing multiplication of block size by sizeof(struct hlist_head)
can cause xfrm_hash_free() to be called with wrong second argument
so that kfree() is called on a block allocated with vzalloc() or
__get_free_pages() or free_pages() is called with wrong order when
a namespace with enough policies is removed.

Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
affected.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
 net/xfrm/xfrm_policy.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
David Miller - Jan. 18, 2013, 7:43 p.m.
From: Michal Kubecek <mkubecek@suse.cz>
Date: Fri, 18 Jan 2013 16:03:48 +0100

> Missing multiplication of block size by sizeof(struct hlist_head)
> can cause xfrm_hash_free() to be called with wrong second argument
> so that kfree() is called on a block allocated with vzalloc() or
> __get_free_pages() or free_pages() is called with wrong order when
> a namespace with enough policies is removed.
> 
> Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
> affected.
> 
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>

I'll let Steffen pick this one up.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Steffen Klassert - Jan. 21, 2013, 12:02 p.m.
On Fri, Jan 18, 2013 at 04:03:48PM +0100, Michal Kubecek wrote:
> Missing multiplication of block size by sizeof(struct hlist_head)
> can cause xfrm_hash_free() to be called with wrong second argument
> so that kfree() is called on a block allocated with vzalloc() or
> __get_free_pages() or free_pages() is called with wrong order when
> a namespace with enough policies is removed.
> 
> Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
> affected.
> 
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>

Applied, Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 41eabc4..07c5857 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2656,7 +2656,7 @@  static void xfrm_policy_fini(struct net *net)
 		WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
 
 		htab = &net->xfrm.policy_bydst[dir];
-		sz = (htab->hmask + 1);
+		sz = (htab->hmask + 1) * sizeof(struct hlist_head);
 		WARN_ON(!hlist_empty(htab->table));
 		xfrm_hash_free(htab->table, sz);
 	}