| Message ID | 20240319170055.17942-1-mheyne@amazon.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [4.19,5.4,5.15] btrfs: defrag: fix memory leak in btrfs_ioctl_defrag | expand |
On Tue, Mar 19, 2024 at 05:00:55PM +0000, Maximilian Heyne wrote: > Prior to commit c853a5783ebe ("btrfs: allocate > btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap > and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject > unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of > this when it was backported to kernel < 5.15. > > Add a kfree on the error path for stable kernels that lack > commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on > stack"). > > This bug was discovered and resolved using Coverity Static Analysis > Security Testing (SAST) by Synopsys, Inc. Good catch, thanks. The affected versions are as you say 4.19, 5.4, 5.15, the fixup is sufficient and minimal fix, c853a5783ebe is reasonably safe for backport too.
On Tue, Mar 19, 2024 at 07:57:11PM +0100, David Sterba wrote: > > On Tue, Mar 19, 2024 at 05:00:55PM +0000, Maximilian Heyne wrote: > > Prior to commit c853a5783ebe ("btrfs: allocate > > btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap > > and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject > > unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of > > this when it was backported to kernel < 5.15. > > > > Add a kfree on the error path for stable kernels that lack > > commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on > > stack"). > > > > This bug was discovered and resolved using Coverity Static Analysis > > Security Testing (SAST) by Synopsys, Inc. > > Good catch, thanks. > > The affected versions are as you say 4.19, 5.4, 5.15, the fixup is I had a typo. Should go to 5.10 because c853a5783ebe is already in 5.15. > sufficient and minimal fix, c853a5783ebe is reasonably safe for backport > too. I think you're right. To avoid divergence it might be better to simply backport c853a5783ebe. Let me send this out. Amazon Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B Sitz: Berlin Ust-ID: DE 289 237 879
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 049b837934e5..adc6c4f2b53c 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -3195,6 +3195,7 @@ static int btrfs_ioctl_defrag(struct file *file, void __user *argp) } if (range->flags & ~BTRFS_DEFRAG_RANGE_FLAGS_SUPP) { ret = -EOPNOTSUPP; + kfree(range); goto out; } /* compression requires us to start the IO */
Prior to commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack") range is allocated on the heap and must be freed. However, commit 173431b274a9 ("btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args") didn't take care of this when it was backported to kernel < 5.15. Add a kfree on the error path for stable kernels that lack commit c853a5783ebe ("btrfs: allocate btrfs_ioctl_defrag_range_args on stack"). This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Fixes: 173431b274a9 ("btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args") CC: stable@vger.kernel.org Signed-off-by: Maximilian Heyne <mheyne@amazon.de> --- fs/btrfs/ioctl.c | 1 + 1 file changed, 1 insertion(+)