On Tue, Aug 16, 2016 at 02:34:15PM -0400, Robert Foss wrote: > On 2016-08-16 02:18 PM, Jann Horn wrote: > >On Tue, Aug 16, 2016 at 01:34:14PM -0400, [email protected] wrote: > >>+ } > >>+ > >>+ return 0; > >>+ > >>+error: > >>+ return ret; > >>+} > >>+ > >[...] > >>+const struct file_operations proc_totmaps_operations = { > >>+ .open = totmaps_open, > >>+ .read = seq_read, > >>+ .llseek = seq_lseek, > >>+ .release = proc_map_release, > >>+}; > > > >As I said regarding v2 already: > >This won't release priv->task, causing a memory leak (exploitable > >through a reference counter overflow of the task_struct usage > >counter). > > Sorry about dropping the ball on that one, what's correct way to release > priv->task?
get_proc_task() does get_pid_task(), which does get_task_struct(), which increments the ->usage field of the task. You want the inverse operation - something that decrements ->usage and checks for zero. This is done via put_task_struct(), which is defined a few lines below get_task_struct().
signature.asc
Description: Digital signature
