Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 11:41, Sasha Levin 写道:
> On 02/21/2013 09:46 PM, Zhang Yanfei wrote:
>> 于 2013年02月22日 09:55, Eric W. Biederman 写道:
>>> Sasha Levin writes:
>>>
If kimage_normal_alloc() fails to initialize an allocated kimage, it will
free
the image but would still set 'rimage', as a result kexec_load will try
to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
>>>
>>> Agreed.
>>>
>>> I don't think that failure path has ever actually been exercised.
>>>
>>> The code is wrong, and it is worth fixing.
>>>
>>> Andrew I do you think you could queue this up? I don't have a handy tree.
>>
>>
>> I still found another malloc/free problem in this function. So I update the
>> patch.
>>
>> -
>>
>> From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001
>> From: Zhang Yanfei
>> Date: Fri, 22 Feb 2013 10:34:02 +0800
>> Subject: [PATCH] kexec: fix allocation problems in function
>> kimage_normal_alloc
>>
>> The function kimage_normal_alloc() has 2 allocation problems that may cause
>> failures:
>>
>> 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it
>> will
>> free the image but would still set 'rimage', as a result kexec_load will
>> try to free it again.
>>
>> This would explode as part of the freeing process is accessing internal
>> members which point to uninitialized memory.
>>
>> 2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it
>> should call kimage_free_page_list() to free allocated pages in
>> image->control_pages list before it frees image.
>>
>> Signed-off-by: Sasha Levin
>> Signed-off-by: Zhang Yanfei
>> ---
>> kernel/kexec.c | 10 ++
>> 1 files changed, 6 insertions(+), 4 deletions(-)
>>
>> diff --git a/kernel/kexec.c b/kernel/kexec.c
>> index 5e4bd78..f219357 100644
>> --- a/kernel/kexec.c
>> +++ b/kernel/kexec.c
>> @@ -223,6 +223,8 @@ out:
>>
>> }
>>
>> +static void kimage_free_page_list(struct list_head *list);
>> +
>> static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry,
>> unsigned long nr_segments,
>> struct kexec_segment __user *segments)
>> @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage,
>> unsigned long entry,
>> if (result)
>> goto out;
>>
>> -*rimage = image;
>> -
>> /*
>> * Find a location for the control code buffer, and add it
>> * the vector of segments so that it's pages will also be
>> @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage,
>> unsigned long entry,
>>
>> result = 0;
>> out:
>> -if (result == 0)
>> +if (result == 0) {
>> *rimage = image;
>> -else
>> +} else {
>> +kimage_free_page_list(>control_pages);
>> kfree(image);
>> +}
>>
>> return result;
>> }
>
> And if do_kimage_alloc() fails instead of kimage_alloc_control_pages()
> you will NULL deref 'image', so now instead of leaking pages the kernel
> will explode.
Oh, I missed this.
>
> Either way, this issue you've pointed out should be fixed in a separate
> patch.
>
>
OK,I will send another patch.
Thanks
Zhang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 09:46 PM, Zhang Yanfei wrote:
> 于 2013年02月22日 09:55, Eric W. Biederman 写道:
>> Sasha Levin writes:
>>
>>> If kimage_normal_alloc() fails to initialize an allocated kimage, it will
>>> free
>>> the image but would still set 'rimage', as a result kexec_load will try
>>> to free it again.
>>>
>>> This would explode as part of the freeing process is accessing internal
>>> members which point to uninitialized memory.
>>
>> Agreed.
>>
>> I don't think that failure path has ever actually been exercised.
>>
>> The code is wrong, and it is worth fixing.
>>
>> Andrew I do you think you could queue this up? I don't have a handy tree.
>
>
> I still found another malloc/free problem in this function. So I update the
> patch.
>
> -
>
> From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001
> From: Zhang Yanfei
> Date: Fri, 22 Feb 2013 10:34:02 +0800
> Subject: [PATCH] kexec: fix allocation problems in function
> kimage_normal_alloc
>
> The function kimage_normal_alloc() has 2 allocation problems that may cause
> failures:
>
> 1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will
> free the image but would still set 'rimage', as a result kexec_load will
> try to free it again.
>
> This would explode as part of the freeing process is accessing internal
> members which point to uninitialized memory.
>
> 2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it
> should call kimage_free_page_list() to free allocated pages in
> image->control_pages list before it frees image.
>
> Signed-off-by: Sasha Levin
> Signed-off-by: Zhang Yanfei
> ---
> kernel/kexec.c | 10 ++
> 1 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/kexec.c b/kernel/kexec.c
> index 5e4bd78..f219357 100644
> --- a/kernel/kexec.c
> +++ b/kernel/kexec.c
> @@ -223,6 +223,8 @@ out:
>
> }
>
> +static void kimage_free_page_list(struct list_head *list);
> +
> static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry,
> unsigned long nr_segments,
> struct kexec_segment __user *segments)
> @@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage,
> unsigned long entry,
> if (result)
> goto out;
>
> - *rimage = image;
> -
> /*
>* Find a location for the control code buffer, and add it
>* the vector of segments so that it's pages will also be
> @@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage,
> unsigned long entry,
>
> result = 0;
> out:
> - if (result == 0)
> + if (result == 0) {
> *rimage = image;
> - else
> + } else {
> + kimage_free_page_list(>control_pages);
> kfree(image);
> + }
>
> return result;
> }
And if do_kimage_alloc() fails instead of kimage_alloc_control_pages()
you will NULL deref 'image', so now instead of leaking pages the kernel
will explode.
Either way, this issue you've pointed out should be fixed in a separate
patch.
Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 09:55, Eric W. Biederman 写道:
> Sasha Levin writes:
>
>> If kimage_normal_alloc() fails to initialize an allocated kimage, it will
>> free
>> the image but would still set 'rimage', as a result kexec_load will try
>> to free it again.
>>
>> This would explode as part of the freeing process is accessing internal
>> members which point to uninitialized memory.
>
> Agreed.
>
> I don't think that failure path has ever actually been exercised.
>
> The code is wrong, and it is worth fixing.
>
> Andrew I do you think you could queue this up? I don't have a handy tree.
I still found another malloc/free problem in this function. So I update the
patch.
-
>From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001
From: Zhang Yanfei
Date: Fri, 22 Feb 2013 10:34:02 +0800
Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc
The function kimage_normal_alloc() has 2 allocation problems that may cause
failures:
1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will
free the image but would still set 'rimage', as a result kexec_load will
try to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
2. If kimage_normal_alloc() fails to alloc pages for image->swap_page, it
should call kimage_free_page_list() to free allocated pages in
image->control_pages list before it frees image.
Signed-off-by: Sasha Levin
Signed-off-by: Zhang Yanfei
---
kernel/kexec.c | 10 ++
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 5e4bd78..f219357 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -223,6 +223,8 @@ out:
}
+static void kimage_free_page_list(struct list_head *list);
+
static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry,
unsigned long nr_segments,
struct kexec_segment __user *segments)
@@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
if (result)
goto out;
- *rimage = image;
-
/*
* Find a location for the control code buffer, and add it
* the vector of segments so that it's pages will also be
@@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
result = 0;
out:
- if (result == 0)
+ if (result == 0) {
*rimage = image;
- else
+ } else {
+ kimage_free_page_list(>control_pages);
kfree(image);
+ }
return result;
}
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 08:55 PM, ebied...@xmission.com wrote: > Sasha Levin writes: > >> If kimage_normal_alloc() fails to initialize an allocated kimage, it will >> free >> the image but would still set 'rimage', as a result kexec_load will try >> to free it again. >> >> This would explode as part of the freeing process is accessing internal >> members which point to uninitialized memory. > > Agreed. > > I don't think that failure path has ever actually been exercised. trinity is actually quite good at hitting that, which is how I discovered it: [ 418.138251] Could not allocate control_code_buffer [ 418.143739] general protection fault: [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 418.147131] Dumping ftrace buffer: [ 418.147901](ftrace buffer empty) [ 418.148697] Modules linked in: [ 418.153440] CPU 1 [ 418.153440] Pid: 18098, comm: trinity Tainted: GW 3.8.0-next-20130220-sasha-00037-gc07b3b2-dirty #7 [ 418.153440] RIP: 0010:[] [] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP: 0018:88009bfade78 EFLAGS: 00010292 [ 418.153440] RAX: 00180004 RBX: 0002 RCX: [ 418.153440] RDX: 88009c1a RSI: 0001 RDI: 6b6b6b6b6b6b6b6b [ 418.153440] RBP: 88009bfade98 R08: 2782 R09: [ 418.153440] R10: R11: R12: 88009c6cb4d0 [ 418.153440] R13: 88009c6cb720 R14: 88009c6cb4d0 R15: 00f6 [ 418.153440] FS: 7fb7eb95b700() GS:8800bb80() knlGS: [ 418.153440] CS: 0010 DS: ES: CR0: 80050033 [ 418.153440] CR2: 004808e0 CR3: 9eaaa000 CR4: 000406e0 [ 418.153440] DR0: DR1: DR2: [ 418.153440] DR3: DR6: 0ff0 DR7: 0400 [ 418.153440] Process trinity (pid: 18098, threadinfo 88009bfac000, task 88009c1a) [ 418.153440] Stack: [ 418.153440] 8546e948 0002 88009c6cb4d0 [ 418.153440] 88009bfaded8 8119b60f 0002 0002 [ 418.153440] 88009c6cb4d0 88009c6cb4d0 fff4 00f6 [ 418.153440] Call Trace: [ 418.153440] [] kimage_free+0x2f/0x100 [ 418.153440] [] sys_kexec_load+0x593/0x660 [ 418.153440] [] ? trace_hardirqs_on+0xd/0x10 [ 418.153440] [] tracesys+0xe1/0xe6 [ 418.153440] Code: c1 ef 0c 55 48 c1 e7 06 48 89 e5 48 01 c7 e8 82 ff ff ff 5d c3 55 48 89 e5 41 55 49 89 fd 41 54 53 48 83 ec 08 48 8b 3f 49 39 fd <48> 8b 1f 75 08 eb 22 0f 1f 00 48 89 d3 4c 8d 67 e0 e8 54 a6 8a [ 418.153440] RIP [] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP [ 418.219646] ---[ end trace 0adb1d6b71fefb29 ]--- Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
Sasha Levin writes: > If kimage_normal_alloc() fails to initialize an allocated kimage, it will free > the image but would still set 'rimage', as a result kexec_load will try > to free it again. > > This would explode as part of the freeing process is accessing internal > members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. The code is wrong, and it is worth fixing. Andrew I do you think you could queue this up? I don't have a handy tree. Reviewed-by: "Eric W. Biederman" > Signed-off-by: Sasha Levin > --- > kernel/kexec.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/kernel/kexec.c b/kernel/kexec.c > index 2348bd6..855bfbb 100644 > --- a/kernel/kexec.c > +++ b/kernel/kexec.c > @@ -242,8 +242,6 @@ static int kimage_normal_alloc(struct kimage **rimage, > unsigned long entry, > if (result) > goto out; > > - *rimage = image; > - > /* >* Find a location for the control code buffer, and add it >* the vector of segments so that it's pages will also be -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
Sasha Levin sasha.le...@oracle.com writes: If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. The code is wrong, and it is worth fixing. Andrew I do you think you could queue this up? I don't have a handy tree. Reviewed-by: Eric W. Biederman ebied...@xmission.com Signed-off-by: Sasha Levin sasha.le...@oracle.com --- kernel/kexec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/kernel/kexec.c b/kernel/kexec.c index 2348bd6..855bfbb 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -242,8 +242,6 @@ static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry, if (result) goto out; - *rimage = image; - /* * Find a location for the control code buffer, and add it * the vector of segments so that it's pages will also be -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 08:55 PM, ebied...@xmission.com wrote: Sasha Levin sasha.le...@oracle.com writes: If kimage_normal_alloc() fails to initialize an allocated kimage, it will free the image but would still set 'rimage', as a result kexec_load will try to free it again. This would explode as part of the freeing process is accessing internal members which point to uninitialized memory. Agreed. I don't think that failure path has ever actually been exercised. trinity is actually quite good at hitting that, which is how I discovered it: [ 418.138251] Could not allocate control_code_buffer [ 418.143739] general protection fault: [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 418.147131] Dumping ftrace buffer: [ 418.147901](ftrace buffer empty) [ 418.148697] Modules linked in: [ 418.153440] CPU 1 [ 418.153440] Pid: 18098, comm: trinity Tainted: GW 3.8.0-next-20130220-sasha-00037-gc07b3b2-dirty #7 [ 418.153440] RIP: 0010:[8119b5a6] [8119b5a6] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP: 0018:88009bfade78 EFLAGS: 00010292 [ 418.153440] RAX: 00180004 RBX: 0002 RCX: [ 418.153440] RDX: 88009c1a RSI: 0001 RDI: 6b6b6b6b6b6b6b6b [ 418.153440] RBP: 88009bfade98 R08: 2782 R09: [ 418.153440] R10: R11: R12: 88009c6cb4d0 [ 418.153440] R13: 88009c6cb720 R14: 88009c6cb4d0 R15: 00f6 [ 418.153440] FS: 7fb7eb95b700() GS:8800bb80() knlGS: [ 418.153440] CS: 0010 DS: ES: CR0: 80050033 [ 418.153440] CR2: 004808e0 CR3: 9eaaa000 CR4: 000406e0 [ 418.153440] DR0: DR1: DR2: [ 418.153440] DR3: DR6: 0ff0 DR7: 0400 [ 418.153440] Process trinity (pid: 18098, threadinfo 88009bfac000, task 88009c1a) [ 418.153440] Stack: [ 418.153440] 8546e948 0002 88009c6cb4d0 [ 418.153440] 88009bfaded8 8119b60f 0002 0002 [ 418.153440] 88009c6cb4d0 88009c6cb4d0 fff4 00f6 [ 418.153440] Call Trace: [ 418.153440] [8119b60f] kimage_free+0x2f/0x100 [ 418.153440] [8119c563] sys_kexec_load+0x593/0x660 [ 418.153440] [8118363d] ? trace_hardirqs_on+0xd/0x10 [ 418.153440] [83dab7d8] tracesys+0xe1/0xe6 [ 418.153440] Code: c1 ef 0c 55 48 c1 e7 06 48 89 e5 48 01 c7 e8 82 ff ff ff 5d c3 55 48 89 e5 41 55 49 89 fd 41 54 53 48 83 ec 08 48 8b 3f 49 39 fd 48 8b 1f 75 08 eb 22 0f 1f 00 48 89 d3 4c 8d 67 e0 e8 54 a6 8a [ 418.153440] RIP [8119b5a6] kimage_free_page_list+0x16/0x50 [ 418.153440] RSP 88009bfade78 [ 418.219646] ---[ end trace 0adb1d6b71fefb29 ]--- Thanks, Sasha -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 09:55, Eric W. Biederman 写道:
Sasha Levin sasha.le...@oracle.com writes:
If kimage_normal_alloc() fails to initialize an allocated kimage, it will
free
the image but would still set 'rimage', as a result kexec_load will try
to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
Agreed.
I don't think that failure path has ever actually been exercised.
The code is wrong, and it is worth fixing.
Andrew I do you think you could queue this up? I don't have a handy tree.
I still found another malloc/free problem in this function. So I update the
patch.
-
From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001
From: Zhang Yanfei zhangyan...@cn.fujitsu.com
Date: Fri, 22 Feb 2013 10:34:02 +0800
Subject: [PATCH] kexec: fix allocation problems in function kimage_normal_alloc
The function kimage_normal_alloc() has 2 allocation problems that may cause
failures:
1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will
free the image but would still set 'rimage', as a result kexec_load will
try to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
2. If kimage_normal_alloc() fails to alloc pages for image-swap_page, it
should call kimage_free_page_list() to free allocated pages in
image-control_pages list before it frees image.
Signed-off-by: Sasha Levin sasha.le...@oracle.com
Signed-off-by: Zhang Yanfei zhangyan...@cn.fujitsu.com
---
kernel/kexec.c | 10 ++
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 5e4bd78..f219357 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -223,6 +223,8 @@ out:
}
+static void kimage_free_page_list(struct list_head *list);
+
static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry,
unsigned long nr_segments,
struct kexec_segment __user *segments)
@@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
if (result)
goto out;
- *rimage = image;
-
/*
* Find a location for the control code buffer, and add it
* the vector of segments so that it's pages will also be
@@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
result = 0;
out:
- if (result == 0)
+ if (result == 0) {
*rimage = image;
- else
+ } else {
+ kimage_free_page_list(image-control_pages);
kfree(image);
+ }
return result;
}
--
1.7.1
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
On 02/21/2013 09:46 PM, Zhang Yanfei wrote:
于 2013年02月22日 09:55, Eric W. Biederman 写道:
Sasha Levin sasha.le...@oracle.com writes:
If kimage_normal_alloc() fails to initialize an allocated kimage, it will
free
the image but would still set 'rimage', as a result kexec_load will try
to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
Agreed.
I don't think that failure path has ever actually been exercised.
The code is wrong, and it is worth fixing.
Andrew I do you think you could queue this up? I don't have a handy tree.
I still found another malloc/free problem in this function. So I update the
patch.
-
From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001
From: Zhang Yanfei zhangyan...@cn.fujitsu.com
Date: Fri, 22 Feb 2013 10:34:02 +0800
Subject: [PATCH] kexec: fix allocation problems in function
kimage_normal_alloc
The function kimage_normal_alloc() has 2 allocation problems that may cause
failures:
1. If kimage_normal_alloc() fails to initialize an allocated kimage, it will
free the image but would still set 'rimage', as a result kexec_load will
try to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
2. If kimage_normal_alloc() fails to alloc pages for image-swap_page, it
should call kimage_free_page_list() to free allocated pages in
image-control_pages list before it frees image.
Signed-off-by: Sasha Levin sasha.le...@oracle.com
Signed-off-by: Zhang Yanfei zhangyan...@cn.fujitsu.com
---
kernel/kexec.c | 10 ++
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 5e4bd78..f219357 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -223,6 +223,8 @@ out:
}
+static void kimage_free_page_list(struct list_head *list);
+
static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry,
unsigned long nr_segments,
struct kexec_segment __user *segments)
@@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
if (result)
goto out;
- *rimage = image;
-
/*
* Find a location for the control code buffer, and add it
* the vector of segments so that it's pages will also be
@@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
result = 0;
out:
- if (result == 0)
+ if (result == 0) {
*rimage = image;
- else
+ } else {
+ kimage_free_page_list(image-control_pages);
kfree(image);
+ }
return result;
}
And if do_kimage_alloc() fails instead of kimage_alloc_control_pages()
you will NULL deref 'image', so now instead of leaking pages the kernel
will explode.
Either way, this issue you've pointed out should be fixed in a separate
patch.
Thanks,
Sasha
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] kexec: prevent double free on image allocation failure
于 2013年02月22日 11:41, Sasha Levin 写道:
On 02/21/2013 09:46 PM, Zhang Yanfei wrote:
于 2013年02月22日 09:55, Eric W. Biederman 写道:
Sasha Levin sasha.le...@oracle.com writes:
If kimage_normal_alloc() fails to initialize an allocated kimage, it will
free
the image but would still set 'rimage', as a result kexec_load will try
to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
Agreed.
I don't think that failure path has ever actually been exercised.
The code is wrong, and it is worth fixing.
Andrew I do you think you could queue this up? I don't have a handy tree.
I still found another malloc/free problem in this function. So I update the
patch.
-
From 1fb76a35e4109e1435f55048c20ea58622e7f87b Mon Sep 17 00:00:00 2001
From: Zhang Yanfei zhangyan...@cn.fujitsu.com
Date: Fri, 22 Feb 2013 10:34:02 +0800
Subject: [PATCH] kexec: fix allocation problems in function
kimage_normal_alloc
The function kimage_normal_alloc() has 2 allocation problems that may cause
failures:
1. If kimage_normal_alloc() fails to initialize an allocated kimage, it
will
free the image but would still set 'rimage', as a result kexec_load will
try to free it again.
This would explode as part of the freeing process is accessing internal
members which point to uninitialized memory.
2. If kimage_normal_alloc() fails to alloc pages for image-swap_page, it
should call kimage_free_page_list() to free allocated pages in
image-control_pages list before it frees image.
Signed-off-by: Sasha Levin sasha.le...@oracle.com
Signed-off-by: Zhang Yanfei zhangyan...@cn.fujitsu.com
---
kernel/kexec.c | 10 ++
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 5e4bd78..f219357 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -223,6 +223,8 @@ out:
}
+static void kimage_free_page_list(struct list_head *list);
+
static int kimage_normal_alloc(struct kimage **rimage, unsigned long entry,
unsigned long nr_segments,
struct kexec_segment __user *segments)
@@ -236,8 +238,6 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
if (result)
goto out;
-*rimage = image;
-
/*
* Find a location for the control code buffer, and add it
* the vector of segments so that it's pages will also be
@@ -259,10 +259,12 @@ static int kimage_normal_alloc(struct kimage **rimage,
unsigned long entry,
result = 0;
out:
-if (result == 0)
+if (result == 0) {
*rimage = image;
-else
+} else {
+kimage_free_page_list(image-control_pages);
kfree(image);
+}
return result;
}
And if do_kimage_alloc() fails instead of kimage_alloc_control_pages()
you will NULL deref 'image', so now instead of leaking pages the kernel
will explode.
Oh, I missed this.
Either way, this issue you've pointed out should be fixed in a separate
patch.
OK,I will send another patch.
Thanks
Zhang
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
