Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
On 13/03/2019 16:38, gre...@linuxfoundation.org wrote: On Wed, Mar 13, 2019 at 02:12:30PM +, Dmitry Kasatkin wrote: From: Sasha Levin Sent: Tuesday, March 12, 2019 1:16 AM To: Dmitry Kasatkin Cc: Al Viro; yuehaibing; linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; keesc...@chromium.org; sta...@vger.kernel.org; gre...@google.com Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file On Mon, Mar 11, 2019 at 04:59:14PM +, Dmitry Kasatkin wrote: From: Al Viro on behalf of Al Viro Sent: Tuesday, February 19, 2019 4:25 AM To: yuehaibing Cc: linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; Dmitry Kasatkin; keesc...@chromium.org Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote: syzkaller report this: BUG: memory leak unreferenced object 0xc9000488d000 (size 9195520): comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) hex dump (first 32 bytes): ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. backtrace: [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895 [<6f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 [<ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<241f889b>] 0x It should goto 'out_free' lable to free allocated buf while kernel_read fails. Applied. This must be applied to stables as well... It's already in all relevant stable trees... I only can see in longterm 4.19. What about 4.9 and 4.14? It was in the queue already for that (you can see it on git.kernel.org), and they are now part of the -rc releases that are currently out for review. thanks, greg k-h Thanks! Dmitry
Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
On Wed, Mar 13, 2019 at 02:12:30PM +, Dmitry Kasatkin wrote: > > > > > > > From: Sasha Levin > Sent: Tuesday, March 12, 2019 1:16 AM > To: Dmitry Kasatkin > Cc: Al Viro; yuehaibing; linux-kernel@vger.kernel.org; > linux-fsde...@vger.kernel.org; keesc...@chromium.org; sta...@vger.kernel.org; > gre...@google.com > Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file > > On Mon, Mar 11, 2019 at 04:59:14PM +, Dmitry Kasatkin wrote: > > > >From: Al Viro on behalf of Al Viro > > > >Sent: Tuesday, February 19, 2019 4:25 AM > >To: yuehaibing > >Cc: linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; Dmitry > >Kasatkin; keesc...@chromium.org > >Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file > > > >On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote: > >> syzkaller report this: > >> BUG: memory leak > >> unreferenced object 0xc9000488d000 (size 9195520): > >> comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) > >> hex dump (first 32 bytes): > >> ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 > >> 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. > >> backtrace: > >> [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] > >> [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] > >> [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 > >> [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 > >> [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 > >> [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 > >>kernel/module.c:3895 > >> [<6f58491f>] do_syscall_64+0x147/0x600 > >>arch/x86/entry/common.c:290 > >> [<ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe > >> [<241f889b>] 0x > >> > >> It should goto 'out_free' lable to free allocated buf while kernel_read > >> fails. > > > >Applied. > > > > > >This must be applied to stables as well... > > > It's already in all relevant stable trees... > > I only can see in longterm 4.19. > > What about 4.9 and 4.14? It was in the queue already for that (you can see it on git.kernel.org), and they are now part of the -rc releases that are currently out for review. thanks, greg k-h
Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
From: Sasha Levin Sent: Tuesday, March 12, 2019 1:16 AM To: Dmitry Kasatkin Cc: Al Viro; yuehaibing; linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; keesc...@chromium.org; sta...@vger.kernel.org; gre...@google.com Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file On Mon, Mar 11, 2019 at 04:59:14PM +, Dmitry Kasatkin wrote: > >From: Al Viro on behalf of Al Viro > >Sent: Tuesday, February 19, 2019 4:25 AM >To: yuehaibing >Cc: linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; Dmitry >Kasatkin; keesc...@chromium.org >Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file > >On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote: >> syzkaller report this: >> BUG: memory leak >> unreferenced object 0xc9000488d000 (size 9195520): >> comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) >> hex dump (first 32 bytes): >> ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 >> 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. >> backtrace: >> [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] >> [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] >> [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 >> [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 >> [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 >> [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 >>kernel/module.c:3895 >> [<6f58491f>] do_syscall_64+0x147/0x600 >>arch/x86/entry/common.c:290 >> [<ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe >> [<241f889b>] 0x >> >> It should goto 'out_free' lable to free allocated buf while kernel_read >> fails. > >Applied. > > >This must be applied to stables as well... > It's already in all relevant stable trees... I only can see in longterm 4.19. What about 4.9 and 4.14? Thanks, Dmitry
Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
On Mon, Mar 11, 2019 at 04:59:14PM +, Dmitry Kasatkin wrote: From: Al Viro on behalf of Al Viro Sent: Tuesday, February 19, 2019 4:25 AM To: yuehaibing Cc: linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; Dmitry Kasatkin; keesc...@chromium.org Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote: syzkaller report this: BUG: memory leak unreferenced object 0xc9000488d000 (size 9195520): comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) hex dump (first 32 bytes): ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. backtrace: [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895 [<6f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 [<ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<241f889b>] 0x It should goto 'out_free' lable to free allocated buf while kernel_read fails. Applied. This must be applied to stables as well... It's already in all relevant stable trees... -- Thanks, Sasha
Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
From: Al Viro on behalf of Al Viro Sent: Tuesday, February 19, 2019 4:25 AM To: yuehaibing Cc: linux-kernel@vger.kernel.org; linux-fsde...@vger.kernel.org; Dmitry Kasatkin; keesc...@chromium.org Subject: Re: [PATCH -next] exec: Fix mem leak in kernel_read_file On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote: > syzkaller report this: > BUG: memory leak > unreferenced object 0xc9000488d000 (size 9195520): > comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) > hex dump (first 32 bytes): > ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 > 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. > backtrace: > [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] > [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] > [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 > [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 > [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 > [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 >kernel/module.c:3895 > [<6f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 > [<ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe > [<241f889b>] 0x > > It should goto 'out_free' lable to free allocated buf while kernel_read > fails. Applied. This must be applied to stables as well...
Re: [PATCH -next] exec: Fix mem leak in kernel_read_file
On Tue, Feb 19, 2019 at 10:10:38AM +0800, YueHaibing wrote: > syzkaller report this: > BUG: memory leak > unreferenced object 0xc9000488d000 (size 9195520): > comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) > hex dump (first 32 bytes): > ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 > 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. > backtrace: > [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] > [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] > [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 > [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 > [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 > [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 > kernel/module.c:3895 > [<6f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 > [] entry_SYSCALL_64_after_hwframe+0x49/0xbe > [<241f889b>] 0x > > It should goto 'out_free' lable to free allocated buf while kernel_read > fails. Applied.
[PATCH -next] exec: Fix mem leak in kernel_read_file
syzkaller report this: BUG: memory leak unreferenced object 0xc9000488d000 (size 9195520): comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) hex dump (first 32 bytes): ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. backtrace: [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895 [<6f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 [] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<241f889b>] 0x It should goto 'out_free' lable to free allocated buf while kernel_read fails. Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory") Signed-off-by: YueHaibing --- fs/exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index 7a4b5ef..2e00333 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, bytes = kernel_read(file, *buf + pos, i_size - pos, ); if (bytes < 0) { ret = bytes; - goto out; + goto out_free; } if (bytes == 0) -- 2.7.0
