| Message ID | 20231224082035.3538560-1-alexious@zju.edu.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | SUNRPC: fix a memleak in gss_import_v2_context | expand |
On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote: > The ctx->mech_used.data allocated by kmemdup is not freed in neither > gss_import_v2_context nor it only caller radeon_driver_open_kms. > Thus, this patch reform the last call of gss_import_v2_context to the > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return > formation. > > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd") > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > --- > net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c > index e31cfdf7eadc..1e54bd63e3f0 100644 > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > u64 seq_send64; > int keylen; > u32 time32; > + int ret; > > p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); > if (IS_ERR(p)) > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > } > ctx->mech_used.len = gss_kerberos_mech.gm_oid.len; > > - return gss_krb5_import_ctx_v2(ctx, gfp_mask); > + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask); > + if (ret) { > + p = ERR_PTR(ret); > + goto out_free; > + }; > > +out_free: > + kfree(ctx->mech_used.data); If the caller's error flow does not invoke gss_krb5_delete_sec_context(), then I would expect more than just mech_used.data would be leaked. What if, instead, you changed gss_krb5_import_sec_context() like this (untested): 471 ret = gss_import_v2_context(p, end, ctx, gfp_mask); 472 memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess)); 473 if (ret) { - kfree(ctx); + gss_krb5_delete_sec_context(ctx); 475 return ret; 476 } Obviously you would need to add a forward declaration of gss_krb5_import_sec_context() to make this compile. The question is whether gss_krb5_delete_sec_context() will deal with a partially- initialized @ctx. How did you find this leak, and what kind of testing was done to confirm the fix is safe? > out_err: > return PTR_ERR(p); > } > -- > 2.34.1 >
On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote: > The ctx->mech_used.data allocated by kmemdup is not freed in neither > gss_import_v2_context nor it only caller radeon_driver_open_kms. > Thus, this patch reform the last call of gss_import_v2_context to the > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return > formation. > > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd") > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > --- > net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c > index e31cfdf7eadc..1e54bd63e3f0 100644 > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > u64 seq_send64; > int keylen; > u32 time32; > + int ret; > > p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); > if (IS_ERR(p)) > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > } > ctx->mech_used.len = gss_kerberos_mech.gm_oid.len; > > - return gss_krb5_import_ctx_v2(ctx, gfp_mask); > + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask); > + if (ret) { > + p = ERR_PTR(ret); > + goto out_free; > + }; Hi Zhipeng Lu, I think you need to handle the non-error case here: return 0; > > +out_free: > + kfree(ctx->mech_used.data); > out_err: > return PTR_ERR(p); > } > -- > 2.34.1 >
> On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote: > > The ctx->mech_used.data allocated by kmemdup is not freed in neither > > gss_import_v2_context nor it only caller radeon_driver_open_kms. > > Thus, this patch reform the last call of gss_import_v2_context to the > > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return > > formation. > > > > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd") > > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > > --- > > net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++- > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c > > index e31cfdf7eadc..1e54bd63e3f0 100644 > > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c > > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c > > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > > u64 seq_send64; > > int keylen; > > u32 time32; > > + int ret; > > > > p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); > > if (IS_ERR(p)) > > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > > } > > ctx->mech_used.len = gss_kerberos_mech.gm_oid.len; > > > > - return gss_krb5_import_ctx_v2(ctx, gfp_mask); > > + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask); > > + if (ret) { > > + p = ERR_PTR(ret); > > + goto out_free; > > + }; > > > > +out_free: > > + kfree(ctx->mech_used.data); > > If the caller's error flow does not invoke > gss_krb5_delete_sec_context(), then I would expect more than just > mech_used.data would be leaked. What if, instead, you changed > gss_krb5_import_sec_context() like this (untested): > > 471 ret = gss_import_v2_context(p, end, ctx, gfp_mask); > 472 memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess)); > 473 if (ret) { > - kfree(ctx); > + gss_krb5_delete_sec_context(ctx); > 475 return ret; > 476 } > > Obviously you would need to add a forward declaration of > gss_krb5_import_sec_context() to make this compile. The question > is whether gss_krb5_delete_sec_context() will deal with a partially- > initialized @ctx. Since the ctx is allocated just in gss_krb5_import_sec_context, together with that all of gss_krb5_import_sec_context, gss_import_v2_context(with this patch) and gss_krb5_import_ctx_v2 are allocation-free balanced. It seems that we don't need to release anything else by invoking gss_krb5_delete_sec_context. If I miss something leaked, please let me know. > > How did you find this leak, and what kind of testing was done to > confirm the fix is safe? I found this memleak by static analysis. The safety issue can't be solved by automatic tools as far as I know. So I check patches manuelly before sending patches. > > out_err: > > return PTR_ERR(p); > > } > > -- > > 2.34.1 > > > > -- > Chuck Lever
On Tue, Dec 26, 2023 at 05:01:05PM +0800, alexious@zju.edu.cn wrote: > > On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote: > > > The ctx->mech_used.data allocated by kmemdup is not freed in neither > > > gss_import_v2_context nor it only caller radeon_driver_open_kms. > > > Thus, this patch reform the last call of gss_import_v2_context to the > > > gss_krb5_import_ctx_v2, preventing the memleak while keepping the return > > > formation. > > > > > > Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd") > > > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> > > > --- > > > net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++- > > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > > > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c > > > index e31cfdf7eadc..1e54bd63e3f0 100644 > > > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c > > > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c > > > @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > > > u64 seq_send64; > > > int keylen; > > > u32 time32; > > > + int ret; > > > > > > p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); > > > if (IS_ERR(p)) > > > @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, > > > } > > > ctx->mech_used.len = gss_kerberos_mech.gm_oid.len; > > > > > > - return gss_krb5_import_ctx_v2(ctx, gfp_mask); > > > + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask); > > > + if (ret) { > > > + p = ERR_PTR(ret); > > > + goto out_free; > > > + }; > > > > > > +out_free: > > > + kfree(ctx->mech_used.data); > > > > If the caller's error flow does not invoke > > gss_krb5_delete_sec_context(), then I would expect more than just > > mech_used.data would be leaked. What if, instead, you changed > > gss_krb5_import_sec_context() like this (untested): > > > > 471 ret = gss_import_v2_context(p, end, ctx, gfp_mask); > > 472 memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess)); > > 473 if (ret) { > > - kfree(ctx); > > + gss_krb5_delete_sec_context(ctx); > > 475 return ret; > > 476 } > > > > Obviously you would need to add a forward declaration of > > gss_krb5_import_sec_context() to make this compile. The question > > is whether gss_krb5_delete_sec_context() will deal with a partially- > > initialized @ctx. > > Since the ctx is allocated just in gss_krb5_import_sec_context, > together with that all of gss_krb5_import_sec_context, gss_import_v2_context(with this patch) > and gss_krb5_import_ctx_v2 are allocation-free balanced. It seems that we don't need to > release anything else by invoking gss_krb5_delete_sec_context. > > If I miss something leaked, please let me know. I see, if gss_krb5_import_ctx_v2() fails, it releases the ciphers and hashes via out_free. So no leak there. A nicer approach would be to handle that clean up in gss_krb5_import_sec_context(): less code duplication. But you're right, it's not broken today. > > How did you find this leak, and what kind of testing was done to > > confirm the fix is safe? > > I found this memleak by static analysis. > The safety issue can't be solved by automatic tools as far as I know. > So I check patches manuelly before sending patches. Can you give some details about how you check the patches?
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index e31cfdf7eadc..1e54bd63e3f0 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c @@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, u64 seq_send64; int keylen; u32 time32; + int ret; p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); if (IS_ERR(p)) @@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx, } ctx->mech_used.len = gss_kerberos_mech.gm_oid.len; - return gss_krb5_import_ctx_v2(ctx, gfp_mask); + ret = gss_krb5_import_ctx_v2(ctx, gfp_mask); + if (ret) { + p = ERR_PTR(ret); + goto out_free; + }; +out_free: + kfree(ctx->mech_used.data); out_err: return PTR_ERR(p); }
The ctx->mech_used.data allocated by kmemdup is not freed in neither gss_import_v2_context nor it only caller radeon_driver_open_kms. Thus, this patch reform the last call of gss_import_v2_context to the gss_krb5_import_ctx_v2, preventing the memleak while keepping the return formation. Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd") Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> --- net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)