Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 11:41, Sasha Levin 写道: > On 02/21/2013 09:46 PM, Zhang Yanfei wrote: >> 于 2013年02月22日 09:55, Eric W. Biederman 写道: >>> Sasha Levin writes: >>> If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. >>> >>> Agreed. >>> >>> I don't think that failure path has ever actually been exercised. >>> >>> The code is wrong, and it is worth fixing. >>> >>> Andrew I do you think you could queue this up? I don't have a handy tree. >> >> >> I still found another malloc/free problem in this function. So I update the >> patch. >> >> - >> >> From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 >> From: Zhang Yanfei >> Date: Fri, 22 Feb 2013 10:34:02 +0800 >> Subject: [PATCH] kexec: fix allocation problems in function >> kimage_normal_alloc >> >> The function kimage_normal_alloc() has 2 allocation problems that may cause >> failures: >> >> 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it >> will >> free the image but would still set 'rimage', as a result kexec_load will >> try to free it again. >> >> This would explode as part of the freeing process is accessing internal >> members which point to uninitialized memory. >> >> 2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it >> should call kimage_free_page_list() to free allocated pages in >> image->control_pages list before it frees image. >> >> Signed-off-by: Sasha Levin >> Signed-off-by: Zhang Yanfei >> --- >> kernel/kexec.c | 10 ++ >> 1 files changed, 6 insertions(+), 4 deletions(-) >> >> diff --git a/kernel/kexec.c b/kernel/kexec.c >> index 5e4bd78..f219357 100644 >> --- a/kernel/kexec.c >> +++ b/kernel/kexec.c >> @@ -223,6 +223,8 @@ out: >> >> } >> >> +static void kimage_free_page_list(struct list_head *list); >> + >> static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, >> unsigned long nr_segments, >> struct kexec_segment __user *segments) >> @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, >> unsigned long entry, >> if (result) >> goto out; >> >> -*rimage = image; >> - >> /* >> * Find a location for the control code buffer, and add it >> * the vector of segments so that it's pages will also be >> @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, >> unsigned long entry, >> >> result = 0; >> out: >> -if (result == 0) >> +if (result == 0) { >> *rimage = image; >> -else >> +} else { >> +kimage_free_page_list(>control_pages); >> kfree(image); >> +} >> >> return result; >> } > > And if do_kimage_alloc() fails instead of kimage_alloc_control_pages() > you will NULL deref 'image', so now instead of leaking pages the kernel > will explode. Oh, I missed this. > > Either way, this issue you've pointed out should be fixed in a separate > patch. > > OK,I will send another patch. Thanks Zhang -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 09:46 PM, Zhang Yanfei wrote: > 于 2013年02月22日 09:55, Eric W. Biederman 写道: >> Sasha Levin writes: >> >>> If kimage_normal_alloc() fails to initialize an allocated kimage, it will >>> free >>> the image but would still set 'rimage', as a result kexec_load will try >>> to free it again. >>> >>> This would explode as part of the freeing process is accessing internal >>> members which point to uninitialized memory. >> >> Agreed. >> >> I don't think that failure path has ever actually been exercised. >> >> The code is wrong, and it is worth fixing. >> >> Andrew I do you think you could queue this up? I don't have a handy tree. > > > I still found another malloc/free problem in this function. So I update the > patch. > > - > > From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 > From: Zhang Yanfei > Date: Fri, 22 Feb 2013 10:34:02 +0800 > Subject: [PATCH] kexec: fix allocation problems in function > kimage_normal_alloc > > The function kimage_normal_alloc() has 2 allocation problems that may cause > failures: > > 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will > free the image but would still set 'rimage', as a result kexec_load will > try to free it again. > > This would explode as part of the freeing process is accessing internal > members which point to uninitialized memory. > > 2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it > should call kimage_free_page_list() to free allocated pages in > image->control_pages list before it frees image. > > Signed-off-by: Sasha Levin > Signed-off-by: Zhang Yanfei > --- > kernel/kexec.c | 10 ++ > 1 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/kernel/kexec.c b/kernel/kexec.c > index 5e4bd78..f219357 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -223,6 +223,8 @@ out: > > } > > +static void kimage_free_page_list(struct list_head *list); > + > static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, > unsigned long nr_segments, > struct kexec_segment __user *segments) > @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, > unsigned long entry, > if (result) > goto out; > > - *rimage = image; > - > /* >* Find a location for the control code buffer, and add it >* the vector of segments so that it's pages will also be > @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, > unsigned long entry, > > result = 0; > out: > - if (result == 0) > + if (result == 0) { > *rimage = image; > - else > + } else { > + kimage_free_page_list(>control_pages); > kfree(image); > + } > > return result; > } And if do_kimage_alloc() fails instead of kimage_alloc_control_pages() you will NULL deref 'image', so now instead of leaking pages the kernel will explode. Either way, this issue you've pointed out should be fixed in a separate patch. Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 09:55, Eric W. Biederman 写道: > Sasha Levin writes: > >> If kimage_normal_alloc() fails to initialize an allocated kimage, it will >> free >> the image but would still set 'rimage', as a result kexec_load will try >> to free it again. >> >> This would explode as part of the freeing process is accessing internal >> members which point to uninitialized memory. > > Agreed. > > I don't think that failure path has ever actually been exercised. > > The code is wrong, and it is worth fixing. > > Andrew I do you think you could queue this up? I don't have a handy tree. I still found another malloc/free problem in this function. So I update the patch. - >From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 From: Zhang Yanfei Date: Fri, 22 Feb 2013 10:34:02 +0800 Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc The function kimage_normal_alloc() has 2 allocation problems that may cause failures: 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. 2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it should call kimage_free_page_list() to free allocated pages in image->control_pages list before it frees image. Signed-off-by: Sasha Levin Signed-off-by: Zhang Yanfei --- kernel/kexec.c | 10 ++ 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/kexec.c b/kernel/kexec.c index 5e4bd78..f219357 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -223,6 +223,8 @@ out: } +static void kimage_free_page_list(struct list_head *list); + static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, unsigned long nr_segments, struct kexec_segment __user *segments) @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, if (result) goto out; - *rimage = image; - /* * Find a location for the control code buffer, and add it * the vector of segments so that it's pages will also be @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, result = 0; out: - if (result == 0) + if (result == 0) { *rimage = image; - else + } else { + kimage_free_page_list(>control_pages); kfree(image); + } return result; } -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 08:55 PM, ebied...@xmission.com wrote: > Sasha Levin writes: > >> If kimage_normal_alloc() fails to initialize an allocated kimage, it will >> free >> the image but would still set 'rimage', as a result kexec_load will try >> to free it again. >> >> This would explode as part of the freeing process is accessing internal >> members which point to uninitialized memory. > > Agreed. > > I don't think that failure path has ever actually been exercised. trinity is actually quite good at hitting that, which is how I discovered it: [ 418.138251] Could not allocate control_code_buffer [ 418.143739] general protection fault: [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 418.147131] Dumping ftrace buffer: [ 418.147901](ftrace buffer empty) [ 418.148697] Modules linked in: [ 418.153440] CPU 1 [ 418.153440] Pid: 18098, comm: trinity Tainted: GW 3.8.0-next-20130220-sasha-00037-gc07b3b2-dirty #7 [ 418.153440] RIP: 0010:[] [] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP: 0018:88009bfade78 EFLAGS: 00010292 [ 418.153440] RAX: 00180004 RBX: 0002 RCX: [ 418.153440] RDX: 88009c1a RSI: 0001 RDI: 6b6b6b6b6b6b6b6b [ 418.153440] RBP: 88009bfade98 R08: 2782 R09: [ 418.153440] R10: R11: R12: 88009c6cb4d0 [ 418.153440] R13: 88009c6cb720 R14: 88009c6cb4d0 R15: 00f6 [ 418.153440] FS: 7fb7eb95b700() GS:8800bb80() knlGS: [ 418.153440] CS: 0010 DS: ES: CR0: 80050033 [ 418.153440] CR2: 004808e0 CR3: 9eaaa000 CR4: 000406e0 [ 418.153440] DR0: DR1: DR2: [ 418.153440] DR3: DR6: 0ff0 DR7: 0400 [ 418.153440] Process trinity (pid: 18098, threadinfo 88009bfac000, task 88009c1a) [ 418.153440] Stack: [ 418.153440] 8546e948 0002 88009c6cb4d0 [ 418.153440] 88009bfaded8 8119b60f 0002 0002 [ 418.153440] 88009c6cb4d0 88009c6cb4d0 fff4 00f6 [ 418.153440] Call Trace: [ 418.153440] [] kimage_free+0x2f/0x100 [ 418.153440] [] sys_kexec_load+0x593/0x660 [ 418.153440] [] ? trace_hardirqs_on+0xd/0x10 [ 418.153440] [] tracesys+0xe1/0xe6 [ 418.153440] Code: c1 ef 0c 55 48 c1 e7 06 48 89 e5 48 01 c7 e8 82 ff ff ff 5d c3 55 48 89 e5 41 55 49 89 fd 41 54 53 48 83 ec 08 48 8b 3f 49 39 fd <48> 8b 1f 75 08 eb 22 0f 1f 00 48 89 d3 4c 8d 67 e0 e8 54 a6 8a [ 418.153440] RIP [] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP [ 418.219646] ---[ end trace 0adb1d6b71fefb29 ]--- Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
Sasha Levin writes: > If kimage_normal_alloc() fails to initialize an allocated kimage, it will free > the image but would still set 'rimage', as a result kexec_load will try > to free it again. > > This would explode as part of the freeing process is accessing internal > members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. The code is wrong, and it is worth fixing. Andrew I do you think you could queue this up? I don't have a handy tree. Reviewed-by: "Eric W. Biederman" > Signed-off-by: Sasha Levin > --- > kernel/kexec.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/kernel/kexec.c b/kernel/kexec.c > index 2348bd6..855bfbb 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -242,8 +242,6 @@ static int kimage_normal_alloc(struct kimage **rimage, > unsigned long entry, > if (result) > goto out; > > - *rimage = image; > - > /* >* Find a location for the control code buffer, and add it >* the vector of segments so that it's pages will also be -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
Sasha Levin sasha.le...@oracle.com writes: If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. The code is wrong, and it is worth fixing. Andrew I do you think you could queue this up? I don't have a handy tree. Reviewed-by: Eric W. Biederman ebied...@xmission.com Signed-off-by: Sasha Levin sasha.le...@oracle.com --- kernel/kexec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/kexec.c b/kernel/kexec.c index 2348bd6..855bfbb 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -242,8 +242,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, if (result) goto out; - *rimage = image; - /* * Find a location for the control code buffer, and add it * the vector of segments so that it's pages will also be -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 08:55 PM, ebied...@xmission.com wrote: Sasha Levin sasha.le...@oracle.com writes: If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. trinity is actually quite good at hitting that, which is how I discovered it: [ 418.138251] Could not allocate control_code_buffer [ 418.143739] general protection fault: [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 418.147131] Dumping ftrace buffer: [ 418.147901](ftrace buffer empty) [ 418.148697] Modules linked in: [ 418.153440] CPU 1 [ 418.153440] Pid: 18098, comm: trinity Tainted: GW 3.8.0-next-20130220-sasha-00037-gc07b3b2-dirty #7 [ 418.153440] RIP: 0010:[8119b5a6] [8119b5a6] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP: 0018:88009bfade78 EFLAGS: 00010292 [ 418.153440] RAX: 00180004 RBX: 0002 RCX: [ 418.153440] RDX: 88009c1a RSI: 0001 RDI: 6b6b6b6b6b6b6b6b [ 418.153440] RBP: 88009bfade98 R08: 2782 R09: [ 418.153440] R10: R11: R12: 88009c6cb4d0 [ 418.153440] R13: 88009c6cb720 R14: 88009c6cb4d0 R15: 00f6 [ 418.153440] FS: 7fb7eb95b700() GS:8800bb80() knlGS: [ 418.153440] CS: 0010 DS: ES: CR0: 80050033 [ 418.153440] CR2: 004808e0 CR3: 9eaaa000 CR4: 000406e0 [ 418.153440] DR0: DR1: DR2: [ 418.153440] DR3: DR6: 0ff0 DR7: 0400 [ 418.153440] Process trinity (pid: 18098, threadinfo 88009bfac000, task 88009c1a) [ 418.153440] Stack: [ 418.153440] 8546e948 0002 88009c6cb4d0 [ 418.153440] 88009bfaded8 8119b60f 0002 0002 [ 418.153440] 88009c6cb4d0 88009c6cb4d0 fff4 00f6 [ 418.153440] Call Trace: [ 418.153440] [8119b60f] kimage_free+0x2f/0x100 [ 418.153440] [8119c563] sys_kexec_load+0x593/0x660 [ 418.153440] [8118363d] ? trace_hardirqs_on+0xd/0x10 [ 418.153440] [83dab7d8] tracesys+0xe1/0xe6 [ 418.153440] Code: c1 ef 0c 55 48 c1 e7 06 48 89 e5 48 01 c7 e8 82 ff ff ff 5d c3 55 48 89 e5 41 55 49 89 fd 41 54 53 48 83 ec 08 48 8b 3f 49 39 fd 48 8b 1f 75 08 eb 22 0f 1f 00 48 89 d3 4c 8d 67 e0 e8 54 a6 8a [ 418.153440] RIP [8119b5a6] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP 88009bfade78 [ 418.219646] ---[ end trace 0adb1d6b71fefb29 ]--- Thanks, Sasha -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 09:55, Eric W. Biederman 写道: Sasha Levin sasha.le...@oracle.com writes: If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. The code is wrong, and it is worth fixing. Andrew I do you think you could queue this up? I don't have a handy tree. I still found another malloc/free problem in this function. So I update the patch. - From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 From: Zhang Yanfei zhangyan...@cn.fujitsu.com Date: Fri, 22 Feb 2013 10:34:02 +0800 Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc The function kimage_normal_alloc() has 2 allocation problems that may cause failures: 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. 2. If kimage_normal_alloc() fails to alloc pages for image-swap_page, it should call kimage_free_page_list() to free allocated pages in image-control_pages list before it frees image. Signed-off-by: Sasha Levin sasha.le...@oracle.com Signed-off-by: Zhang Yanfei zhangyan...@cn.fujitsu.com --- kernel/kexec.c | 10 ++ 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/kexec.c b/kernel/kexec.c index 5e4bd78..f219357 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -223,6 +223,8 @@ out: } +static void kimage_free_page_list(struct list_head *list); + static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, unsigned long nr_segments, struct kexec_segment __user *segments) @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, if (result) goto out; - *rimage = image; - /* * Find a location for the control code buffer, and add it * the vector of segments so that it's pages will also be @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, result = 0; out: - if (result == 0) + if (result == 0) { *rimage = image; - else + } else { + kimage_free_page_list(image-control_pages); kfree(image); + } return result; } -- 1.7.1 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 09:46 PM, Zhang Yanfei wrote: 于 2013年02月22日 09:55, Eric W. Biederman 写道: Sasha Levin sasha.le...@oracle.com writes: If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. The code is wrong, and it is worth fixing. Andrew I do you think you could queue this up? I don't have a handy tree. I still found another malloc/free problem in this function. So I update the patch. - From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 From: Zhang Yanfei zhangyan...@cn.fujitsu.com Date: Fri, 22 Feb 2013 10:34:02 +0800 Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc The function kimage_normal_alloc() has 2 allocation problems that may cause failures: 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. 2. If kimage_normal_alloc() fails to alloc pages for image-swap_page, it should call kimage_free_page_list() to free allocated pages in image-control_pages list before it frees image. Signed-off-by: Sasha Levin sasha.le...@oracle.com Signed-off-by: Zhang Yanfei zhangyan...@cn.fujitsu.com --- kernel/kexec.c | 10 ++ 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/kexec.c b/kernel/kexec.c index 5e4bd78..f219357 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -223,6 +223,8 @@ out: } +static void kimage_free_page_list(struct list_head *list); + static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, unsigned long nr_segments, struct kexec_segment __user *segments) @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, if (result) goto out; - *rimage = image; - /* * Find a location for the control code buffer, and add it * the vector of segments so that it's pages will also be @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, result = 0; out: - if (result == 0) + if (result == 0) { *rimage = image; - else + } else { + kimage_free_page_list(image-control_pages); kfree(image); + } return result; } And if do_kimage_alloc() fails instead of kimage_alloc_control_pages() you will NULL deref 'image', so now instead of leaking pages the kernel will explode. Either way, this issue you've pointed out should be fixed in a separate patch. Thanks, Sasha -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 11:41, Sasha Levin 写道: On 02/21/2013 09:46 PM, Zhang Yanfei wrote: 于 2013年02月22日 09:55, Eric W. Biederman 写道: Sasha Levin sasha.le...@oracle.com writes: If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. The code is wrong, and it is worth fixing. Andrew I do you think you could queue this up? I don't have a handy tree. I still found another malloc/free problem in this function. So I update the patch. - From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001 From: Zhang Yanfei zhangyan...@cn.fujitsu.com Date: Fri, 22 Feb 2013 10:34:02 +0800 Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc The function kimage_normal_alloc() has 2 allocation problems that may cause failures: 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. 2. If kimage_normal_alloc() fails to alloc pages for image-swap_page, it should call kimage_free_page_list() to free allocated pages in image-control_pages list before it frees image. Signed-off-by: Sasha Levin sasha.le...@oracle.com Signed-off-by: Zhang Yanfei zhangyan...@cn.fujitsu.com --- kernel/kexec.c | 10 ++ 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/kexec.c b/kernel/kexec.c index 5e4bd78..f219357 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -223,6 +223,8 @@ out: } +static void kimage_free_page_list(struct list_head *list); + static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, unsigned long nr_segments, struct kexec_segment __user *segments) @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, if (result) goto out; -*rimage = image; - /* * Find a location for the control code buffer, and add it * the vector of segments so that it's pages will also be @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, result = 0; out: -if (result == 0) +if (result == 0) { *rimage = image; -else +} else { +kimage_free_page_list(image-control_pages); kfree(image); +} return result; } And if do_kimage_alloc() fails instead of kimage_alloc_control_pages() you will NULL deref 'image', so now instead of leaking pages the kernel will explode. Oh, I missed this. Either way, this issue you've pointed out should be fixed in a separate patch. OK,I will send another patch. Thanks Zhang -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/