Message ID | 1556137087-25814-1-git-send-email-wang6495@umn.edu |
---|---|
State | Rejected |
Delegated to: | David Miller |
Headers | show |
Series | net: tls: fix a memory leak bug | expand |
On Wed, 24 Apr 2019 15:18:07 -0500, Wenwen Wang wrote: > In decrypt_internal(), a memory block 'mem' is allocated through kmalloc() > to hold aead_req, sgin[], sgout[], aad, and iv. This memory block should be > freed after it is used, before this function is returned. However, if the > return value of the function invocation of tls_do_decryption() is > -EINPROGRESS, this memory block is actually not freed, which is a memory > leak bug. > > To fix this issue, free the allocated block before the error code > -EINPROGRESS is returned. > > Signed-off-by: Wenwen Wang <wang6495@umn.edu> Did you find this by code inspection or is this provable at runtime (kmemleak or such)? > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c > index b50ced8..22445bb 100644 > --- a/net/tls/tls_sw.c > +++ b/net/tls/tls_sw.c > @@ -1445,8 +1445,10 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, > /* Prepare and submit AEAD request */ > err = tls_do_decryption(sk, skb, sgin, sgout, iv, > data_len, aead_req, async); > - if (err == -EINPROGRESS) > + if (err == -EINPROGRESS) { > + kfree(mem); > return err; Mm... don't think so. -EINPROGRESS is special, it means something is working on the request asynchronously here. I think this memory is freed in tls_decrypt_done(): kfree(aead_req); Note that aead_req is the first member of the allocated buffer. CCing Vakul > + } > > /* Release the pages in case iov was mapped to pages */ > for (; pages > 0; pages--)
> -----Original Message----- > From: Jakub Kicinski <jakub.kicinski@netronome.com> > Sent: Thursday, April 25, 2019 6:39 AM > To: Wenwen Wang <wang6495@umn.edu> > Cc: Boris Pismenny <borisp@mellanox.com>; Aviad Yehezkel > <aviadye@mellanox.com>; Dave Watson <davejwatson@fb.com>; John > Fastabend <john.fastabend@gmail.com>; Daniel Borkmann > <daniel@iogearbox.net>; David S. Miller <davem@davemloft.net>; open > list:NETWORKING [TLS] <netdev@vger.kernel.org>; open list <linux- > kernel@vger.kernel.org>; Vakul Garg <vakul.garg@nxp.com> > Subject: Re: [PATCH] net: tls: fix a memory leak bug > > On Wed, 24 Apr 2019 15:18:07 -0500, Wenwen Wang wrote: > > In decrypt_internal(), a memory block 'mem' is allocated through > > kmalloc() to hold aead_req, sgin[], sgout[], aad, and iv. This memory > > block should be freed after it is used, before this function is > > returned. However, if the return value of the function invocation of > > tls_do_decryption() is -EINPROGRESS, this memory block is actually not > > freed, which is a memory leak bug. > > > > To fix this issue, free the allocated block before the error code > > -EINPROGRESS is returned. > > > > Signed-off-by: Wenwen Wang <wang6495@umn.edu> > > Did you find this by code inspection or is this provable at runtime (kmemleak > or such)? > > > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index > > b50ced8..22445bb 100644 > > --- a/net/tls/tls_sw.c > > +++ b/net/tls/tls_sw.c > > @@ -1445,8 +1445,10 @@ static int decrypt_internal(struct sock *sk, > struct sk_buff *skb, > > /* Prepare and submit AEAD request */ > > err = tls_do_decryption(sk, skb, sgin, sgout, iv, > > data_len, aead_req, async); > > - if (err == -EINPROGRESS) > > + if (err == -EINPROGRESS) { > > + kfree(mem); > > return err; > > Mm... don't think so. > > -EINPROGRESS is special, it means something is working on the request > asynchronously here. > > I think this memory is freed in tls_decrypt_done(): > > kfree(aead_req); > > Note that aead_req is the first member of the allocated buffer. > > CCing Vakul The patch is wrong. Valid reasons have been given against the patch. > > > + } > > > > /* Release the pages in case iov was mapped to pages */ > > for (; pages > 0; pages--)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index b50ced8..22445bb 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1445,8 +1445,10 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, /* Prepare and submit AEAD request */ err = tls_do_decryption(sk, skb, sgin, sgout, iv, data_len, aead_req, async); - if (err == -EINPROGRESS) + if (err == -EINPROGRESS) { + kfree(mem); return err; + } /* Release the pages in case iov was mapped to pages */ for (; pages > 0; pages--)
In decrypt_internal(), a memory block 'mem' is allocated through kmalloc() to hold aead_req, sgin[], sgout[], aad, and iv. This memory block should be freed after it is used, before this function is returned. However, if the return value of the function invocation of tls_do_decryption() is -EINPROGRESS, this memory block is actually not freed, which is a memory leak bug. To fix this issue, free the allocated block before the error code -EINPROGRESS is returned. Signed-off-by: Wenwen Wang <wang6495@umn.edu> --- net/tls/tls_sw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)