linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* memory leak in exfat_parse_param
@ 2020-06-02  5:03 butt3rflyh4ck
  2020-06-02 16:28 ` Al Viro
  0 siblings, 1 reply; 3+ messages in thread
From: butt3rflyh4ck @ 2020-06-02  5:03 UTC (permalink / raw)
  To: namjae.jeon, sj1557.seo; +Cc: linux-fsdevel, linux-kernel, syzkaller

I report a bug (in linux-5.7.0-rc7) found by syzkaller.

kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/config-v5.7.0-rc7

and can reproduce.

A param->string held by exfat_mount_options.

BUG: memory leak

unreferenced object 0xffff88801972e090 (size 8):
  comm "syz-executor.2", pid 16298, jiffies 4295172466 (age 14.060s)
  hex dump (first 8 bytes):
    6b 6f 69 38 2d 75 00 00                          koi8-u..
  backtrace:
    [<000000005bfe35d6>] kstrdup+0x36/0x70 mm/util.c:60
    [<0000000018ed3277>] exfat_parse_param+0x160/0x5e0 fs/exfat/super.c:276
    [<000000007680462b>] vfs_parse_fs_param+0x2b4/0x610 fs/fs_context.c:147
    [<0000000097c027f2>] vfs_parse_fs_string+0xe6/0x150 fs/fs_context.c:191
    [<00000000371bf78f>] generic_parse_monolithic+0x16f/0x1f0
fs/fs_context.c:231
    [<000000005ce5eb1b>] do_new_mount fs/namespace.c:2812 [inline]
    [<000000005ce5eb1b>] do_mount+0x12bb/0x1b30 fs/namespace.c:3141
    [<00000000b642040c>] __do_sys_mount fs/namespace.c:3350 [inline]
    [<00000000b642040c>] __se_sys_mount fs/namespace.c:3327 [inline]
    [<00000000b642040c>] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3327
    [<000000003b024e98>] do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
    [<00000000ce2b698c>] entry_SYSCALL_64_after_hwframe+0x49/0xb3

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: memory leak in exfat_parse_param
  2020-06-02  5:03 memory leak in exfat_parse_param butt3rflyh4ck
@ 2020-06-02 16:28 ` Al Viro
  2020-06-03  1:32   ` Namjae Jeon
  0 siblings, 1 reply; 3+ messages in thread
From: Al Viro @ 2020-06-02 16:28 UTC (permalink / raw)
  To: butt3rflyh4ck
  Cc: namjae.jeon, sj1557.seo, linux-fsdevel, linux-kernel, syzkaller

On Tue, Jun 02, 2020 at 01:03:05PM +0800, butt3rflyh4ck wrote:
> I report a bug (in linux-5.7.0-rc7) found by syzkaller.
> 
> kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/config-v5.7.0-rc7
> 
> and can reproduce.
> 
> A param->string held by exfat_mount_options.

Humm...

	First of all, exfat_free() ought to call exfat_free_upcase_table().
What's more, WTF bother with that kstrdup(), anyway?  Just steal the string
and be done with that...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/fs/exfat/super.c b/fs/exfat/super.c
index 0565d5539d57..01cd7ed1614d 100644
--- a/fs/exfat/super.c
+++ b/fs/exfat/super.c
@@ -259,9 +259,8 @@ static int exfat_parse_param(struct fs_context *fc, struct fs_parameter *param)
 		break;
 	case Opt_charset:
 		exfat_free_iocharset(sbi);
-		opts->iocharset = kstrdup(param->string, GFP_KERNEL);
-		if (!opts->iocharset)
-			return -ENOMEM;
+		opts->iocharset = param->string;
+		param->string = NULL;
 		break;
 	case Opt_errors:
 		opts->errors = result.uint_32;
@@ -611,7 +610,10 @@ static int exfat_get_tree(struct fs_context *fc)
 
 static void exfat_free(struct fs_context *fc)
 {
-	kfree(fc->s_fs_info);
+	struct exfat_sb_info *sbi = fc->s_fs_info;
+
+	exfat_free_iocharset(sbi);
+	kfree(sbi);
 }
 
 static const struct fs_context_operations exfat_context_ops = {

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* RE: memory leak in exfat_parse_param
  2020-06-02 16:28 ` Al Viro
@ 2020-06-03  1:32   ` Namjae Jeon
  0 siblings, 0 replies; 3+ messages in thread
From: Namjae Jeon @ 2020-06-03  1:32 UTC (permalink / raw)
  To: 'Al Viro'
  Cc: sj1557.seo, linux-fsdevel, linux-kernel, 'syzkaller',
	'butt3rflyh4ck'

> On Tue, Jun 02, 2020 at 01:03:05PM +0800, butt3rflyh4ck wrote:
> > I report a bug (in linux-5.7.0-rc7) found by syzkaller.
> >
> > kernel config:
> > https://protect2.fireeye.com/url?k=f3a88a7d-ae6446d8-f3a90132-0cc47a30
> > d446-6021a2fbdd1681a8&q=1&u=https%3A%2F%2Fgithub.com%2Fbutterflyhack%2
> > Fsyzkaller-fuzz%2Fblob%2Fmaster%2Fconfig-v5.7.0-rc7
> >
> > and can reproduce.
> >
> > A param->string held by exfat_mount_options.
> 
> Humm...
> 
> 	First of all, exfat_free() ought to call exfat_free_upcase_table().
> What's more, WTF bother with that kstrdup(), anyway?  Just steal the string and be done with that...
Thanks for your patch. I will push it to exfat tree.
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
> diff --git a/fs/exfat/super.c b/fs/exfat/super.c index 0565d5539d57..01cd7ed1614d 100644
> --- a/fs/exfat/super.c
> +++ b/fs/exfat/super.c
> @@ -259,9 +259,8 @@ static int exfat_parse_param(struct fs_context *fc, struct fs_parameter *param)
>  		break;
>  	case Opt_charset:
>  		exfat_free_iocharset(sbi);
> -		opts->iocharset = kstrdup(param->string, GFP_KERNEL);
> -		if (!opts->iocharset)
> -			return -ENOMEM;
> +		opts->iocharset = param->string;
> +		param->string = NULL;
>  		break;
>  	case Opt_errors:
>  		opts->errors = result.uint_32;
> @@ -611,7 +610,10 @@ static int exfat_get_tree(struct fs_context *fc)
> 
>  static void exfat_free(struct fs_context *fc)  {
> -	kfree(fc->s_fs_info);
> +	struct exfat_sb_info *sbi = fc->s_fs_info;
> +
> +	exfat_free_iocharset(sbi);
> +	kfree(sbi);
>  }
> 
>  static const struct fs_context_operations exfat_context_ops = {


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-03  1:32 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-02  5:03 memory leak in exfat_parse_param butt3rflyh4ck
2020-06-02 16:28 ` Al Viro
2020-06-03  1:32   ` Namjae Jeon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).