Re: Brainy: Kernel Use-after-free Memory Leak in hifn
On Mon, May 11, 2015 at 22:11 +0200, Maxime Villard wrote:
Hi,
I put here two bugs among others:
sys/dev/pci/hifn7751.c
2757
if (!(m0-m_flags M_EXT))
m_freem(m0);
len = MCLBYTES;
totlen -= len;
m0-m_pkthdr.len = m0-m_len = len;
mlast = m0;
Use-after-free with 'm0'.
sys/dev/pci/hifn7751.c
2766
MGET(m, M_DONTWAIT, MT_DATA);
if (m == NULL) {
m_freem(m0);
return (NULL);
}
MCLGET(m, M_DONTWAIT);
if (!(m-m_flags M_EXT)) {
m_freem(m0);
return (NULL);
}
len = MCLBYTES;
'm' is leaked.
Found by The Brainy Code Scanner.
Maxime
Fixed in -current. Thanks for reporting!
Re: Brainy: Kernel Use-after-free Memory Leak in hifn
On Mon, 11 May 2015 22:11:10 +0200
Maxime Villard m...@m00nbsd.net wrote:
Hi,
I put here two bugs among others:
sys/dev/pci/hifn7751.c
2757
if (!(m0-m_flags M_EXT))
m_freem(m0);
len = MCLBYTES;
totlen -= len;
m0-m_pkthdr.len = m0-m_len = len;
mlast = m0;
Use-after-free with 'm0'.
sys/dev/pci/hifn7751.c
2766
MGET(m, M_DONTWAIT, MT_DATA);
if (m == NULL) {
m_freem(m0);
return (NULL);
}
MCLGET(m, M_DONTWAIT);
if (!(m-m_flags M_EXT)) {
m_freem(m0);
return (NULL);
}
len = MCLBYTES;
'm' is leaked.
Found by The Brainy Code Scanner.
Maxime
If there are any other unresolved bugs your code scanner has found,
please do report them. It's better for everyone.
Is there any chance you would one day open source it, or tell us what
it is based on? :)
Thanks anyway!
Brainy: Kernel Use-after-free Memory Leak in hifn
Hi,
I put here two bugs among others:
sys/dev/pci/hifn7751.c
2757
if (!(m0-m_flags M_EXT))
m_freem(m0);
len = MCLBYTES;
totlen -= len;
m0-m_pkthdr.len = m0-m_len = len;
mlast = m0;
Use-after-free with 'm0'.
sys/dev/pci/hifn7751.c
2766
MGET(m, M_DONTWAIT, MT_DATA);
if (m == NULL) {
m_freem(m0);
return (NULL);
}
MCLGET(m, M_DONTWAIT);
if (!(m-m_flags M_EXT)) {
m_freem(m0);
return (NULL);
}
len = MCLBYTES;
'm' is leaked.
Found by The Brainy Code Scanner.
Maxime
