Re: Brainy: Kernel Use-after-free Memory Leak in hifn
On Mon, May 11, 2015 at 22:11 +0200, Maxime Villard wrote: Hi, I put here two bugs among others: sys/dev/pci/hifn7751.c 2757 if (!(m0-m_flags M_EXT)) m_freem(m0); len = MCLBYTES; totlen -= len; m0-m_pkthdr.len = m0-m_len = len; mlast = m0; Use-after-free with 'm0'. sys/dev/pci/hifn7751.c 2766 MGET(m, M_DONTWAIT, MT_DATA); if (m == NULL) { m_freem(m0); return (NULL); } MCLGET(m, M_DONTWAIT); if (!(m-m_flags M_EXT)) { m_freem(m0); return (NULL); } len = MCLBYTES; 'm' is leaked. Found by The Brainy Code Scanner. Maxime Fixed in -current. Thanks for reporting!
Re: Brainy: Kernel Use-after-free Memory Leak in hifn
On Mon, 11 May 2015 22:11:10 +0200 Maxime Villard m...@m00nbsd.net wrote: Hi, I put here two bugs among others: sys/dev/pci/hifn7751.c 2757 if (!(m0-m_flags M_EXT)) m_freem(m0); len = MCLBYTES; totlen -= len; m0-m_pkthdr.len = m0-m_len = len; mlast = m0; Use-after-free with 'm0'. sys/dev/pci/hifn7751.c 2766 MGET(m, M_DONTWAIT, MT_DATA); if (m == NULL) { m_freem(m0); return (NULL); } MCLGET(m, M_DONTWAIT); if (!(m-m_flags M_EXT)) { m_freem(m0); return (NULL); } len = MCLBYTES; 'm' is leaked. Found by The Brainy Code Scanner. Maxime If there are any other unresolved bugs your code scanner has found, please do report them. It's better for everyone. Is there any chance you would one day open source it, or tell us what it is based on? :) Thanks anyway!
Brainy: Kernel Use-after-free Memory Leak in hifn
Hi, I put here two bugs among others: sys/dev/pci/hifn7751.c 2757 if (!(m0-m_flags M_EXT)) m_freem(m0); len = MCLBYTES; totlen -= len; m0-m_pkthdr.len = m0-m_len = len; mlast = m0; Use-after-free with 'm0'. sys/dev/pci/hifn7751.c 2766 MGET(m, M_DONTWAIT, MT_DATA); if (m == NULL) { m_freem(m0); return (NULL); } MCLGET(m, M_DONTWAIT); if (!(m-m_flags M_EXT)) { m_freem(m0); return (NULL); } len = MCLBYTES; 'm' is leaked. Found by The Brainy Code Scanner. Maxime