All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] fs/binfmt_elf: free interpreter in load_elf_binary
@ 2020-11-04  2:06 Liu Shixin
  0 siblings, 0 replies; 3+ messages in thread
From: Liu Shixin @ 2020-11-04  2:06 UTC (permalink / raw)
  To: Alexander Viro; +Cc: linux-fsdevel, linux-kernel, Liu Shixin

The file interpreter is allocated in load_elf_binary, but not freed
in the case interp_elf_ex is NULL.
We add a new mark out_free_file for this case to free interpreter.

This memory leak is catched when kmemleak is enabled in kernel,
the report looks like below:

unreferenced object 0xffff8b6e9fd41400 (size 488):
  comm "service", pid 4095, jiffies 4300970844 (age 49.618s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    e0 08 be b9 6e 8b ff ff 00 13 04 b7 6e 8b ff ff  ....n.......n...
  backtrace:
    [<00000000eacadaa2>] kmem_cache_alloc+0x164/0x320
    [<0000000090fb7bf2>] __alloc_file+0x2a/0x140
    [<00000000ff8fab86>] alloc_empty_file+0x4b/0x100
    [<000000003ab9b00d>] path_openat+0x4a/0xe20
    [<0000000027e3a067>] do_filp_open+0xb9/0x150
    [<000000000edebcac>] do_open_execat+0xa6/0x250
    [<000000008845564e>] open_exec+0x31/0x60
    [<00000000e6e6e1ca>] load_elf_binary+0x1dd/0x1b60
    [<000000004515d8f0>] do_execveat_common.isra.39+0xaa0/0x1000
    [<000000002ca5e83f>] __x64_sys_execve+0x37/0x40
    [<00000000beb519e4>] do_syscall_64+0x56/0xa0
    [<000000009cf54d51>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Signed-off-by: Liu Shixin <liushixin2@huawei.com>
---
 fs/binfmt_elf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index fa50e8936f5f..e223d798e5d8 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -907,7 +907,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
 		if (!interp_elf_ex) {
 			retval = -ENOMEM;
-			goto out_free_ph;
+			goto out_free_file;
 		}
 
 		/* Get the exec headers */
@@ -1316,6 +1316,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 out_free_dentry:
 	kfree(interp_elf_ex);
 	kfree(interp_elf_phdata);
+out_free_file:
 	allow_write_access(interpreter);
 	if (interpreter)
 		fput(interpreter);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH] fs/binfmt_elf: free interpreter in load_elf_binary
       [not found] <5bfc1c45-668d-9070-fddc-d15dbe39d12e@web.de>
@ 2020-11-04  9:33   ` Liu Shixin
  0 siblings, 0 replies; 3+ messages in thread
From: Liu Shixin @ 2020-11-04  9:33 UTC (permalink / raw)
  To: Markus Elfring, linux-fsdevel
  Cc: Alexander Viro, linux-kernel, kernel-janitors, Liu Shixin

The file interpreter is allocated in load_elf_binary, but not freed
in the case interp_elf_ex is NULL.
Add a label “out_allow_write_access” so that the interpreter
will be appropriately released in this case.

This memory leak is catched when kmemleak is enabled in kernel,
the report looks like below:

unreferenced object 0xffff8b6e9fd41400 (size 488):
  comm "service", pid 4095, jiffies 4300970844 (age 49.618s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    e0 08 be b9 6e 8b ff ff 00 13 04 b7 6e 8b ff ff  ....n.......n...
  backtrace:
    [<00000000eacadaa2>] kmem_cache_alloc+0x164/0x320
    [<0000000090fb7bf2>] __alloc_file+0x2a/0x140
    [<00000000ff8fab86>] alloc_empty_file+0x4b/0x100
    [<000000003ab9b00d>] path_openat+0x4a/0xe20
    [<0000000027e3a067>] do_filp_open+0xb9/0x150
    [<000000000edebcac>] do_open_execat+0xa6/0x250
    [<000000008845564e>] open_exec+0x31/0x60
    [<00000000e6e6e1ca>] load_elf_binary+0x1dd/0x1b60
    [<000000004515d8f0>] do_execveat_common.isra.39+0xaa0/0x1000
    [<000000002ca5e83f>] __x64_sys_execve+0x37/0x40
    [<00000000beb519e4>] do_syscall_64+0x56/0xa0
    [<000000009cf54d51>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 0693ffebcfe5 ("fs/binfmt_elf.c: allocate less for static executable")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
---
 fs/binfmt_elf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index fa50e8936f5f..28e75cb45b26 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -907,7 +907,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
 		if (!interp_elf_ex) {
 			retval = -ENOMEM;
-			goto out_free_ph;
+			goto out_allow_write_access;
 		}
 
 		/* Get the exec headers */
@@ -1316,6 +1316,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 out_free_dentry:
 	kfree(interp_elf_ex);
 	kfree(interp_elf_phdata);
+out_allow_write_access:
 	allow_write_access(interpreter);
 	if (interpreter)
 		fput(interpreter);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH] fs/binfmt_elf: free interpreter in load_elf_binary
@ 2020-11-04  9:33   ` Liu Shixin
  0 siblings, 0 replies; 3+ messages in thread
From: Liu Shixin @ 2020-11-04  9:33 UTC (permalink / raw)
  To: Markus Elfring, linux-fsdevel
  Cc: Alexander Viro, linux-kernel, kernel-janitors, Liu Shixin

The file interpreter is allocated in load_elf_binary, but not freed
in the case interp_elf_ex is NULL.
Add a label “out_allow_write_access” so that the interpreter
will be appropriately released in this case.

This memory leak is catched when kmemleak is enabled in kernel,
the report looks like below:

unreferenced object 0xffff8b6e9fd41400 (size 488):
  comm "service", pid 4095, jiffies 4300970844 (age 49.618s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    e0 08 be b9 6e 8b ff ff 00 13 04 b7 6e 8b ff ff  ....n.......n...
  backtrace:
    [<00000000eacadaa2>] kmem_cache_alloc+0x164/0x320
    [<0000000090fb7bf2>] __alloc_file+0x2a/0x140
    [<00000000ff8fab86>] alloc_empty_file+0x4b/0x100
    [<000000003ab9b00d>] path_openat+0x4a/0xe20
    [<0000000027e3a067>] do_filp_open+0xb9/0x150
    [<000000000edebcac>] do_open_execat+0xa6/0x250
    [<000000008845564e>] open_exec+0x31/0x60
    [<00000000e6e6e1ca>] load_elf_binary+0x1dd/0x1b60
    [<000000004515d8f0>] do_execveat_common.isra.39+0xaa0/0x1000
    [<000000002ca5e83f>] __x64_sys_execve+0x37/0x40
    [<00000000beb519e4>] do_syscall_64+0x56/0xa0
    [<000000009cf54d51>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 0693ffebcfe5 ("fs/binfmt_elf.c: allocate less for static executable")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
---
 fs/binfmt_elf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index fa50e8936f5f..28e75cb45b26 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -907,7 +907,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 		interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL);
 		if (!interp_elf_ex) {
 			retval = -ENOMEM;
-			goto out_free_ph;
+			goto out_allow_write_access;
 		}
 
 		/* Get the exec headers */
@@ -1316,6 +1316,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
 out_free_dentry:
 	kfree(interp_elf_ex);
 	kfree(interp_elf_phdata);
+out_allow_write_access:
 	allow_write_access(interpreter);
 	if (interpreter)
 		fput(interpreter);
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-04  9:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-04  2:06 [PATCH] fs/binfmt_elf: free interpreter in load_elf_binary Liu Shixin
     [not found] <5bfc1c45-668d-9070-fddc-d15dbe39d12e@web.de>
2020-11-04  9:33 ` Liu Shixin
2020-11-04  9:33   ` Liu Shixin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.