summarylogtreecommitdiffstats
path: root/0003-exec-Fix-mem-leak-in-kernel_read_file.patch
diff options
context:
space:
mode:
Diffstat (limited to '0003-exec-Fix-mem-leak-in-kernel_read_file.patch')
-rw-r--r--0003-exec-Fix-mem-leak-in-kernel_read_file.patch49
1 files changed, 49 insertions, 0 deletions
diff --git a/0003-exec-Fix-mem-leak-in-kernel_read_file.patch b/0003-exec-Fix-mem-leak-in-kernel_read_file.patch
new file mode 100644
index 00000000000..e8c87ad807d
--- /dev/null
+++ b/0003-exec-Fix-mem-leak-in-kernel_read_file.patch
@@ -0,0 +1,49 @@
+From 3096ba94fa87b22664baa91e71a55ce698bb8aed Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 19 Feb 2019 10:10:38 +0800
+Subject: [PATCH 3/3] exec: Fix mem leak in kernel_read_file
+
+syzkaller report this:
+BUG: memory leak
+unreferenced object 0xffffc9000488d000 (size 9195520):
+ comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
+ hex dump (first 32 bytes):
+ ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
+ 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
+ backtrace:
+ [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
+ [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
+ [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
+ [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
+ [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
+ [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
+ [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000241f889b>] 0xffffffffffffffff
+
+It should goto 'out_free' lable to free allocated buf while kernel_read
+fails.
+
+Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/exec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index fc281b738a98..20c33029a062 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -929,7 +929,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
+ bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
+ if (bytes < 0) {
+ ret = bytes;
+- goto out;
++ goto out_free;
+ }
+
+ if (bytes == 0)
+--
+2.20.1
+