* [PATCH] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c @ 2019-05-21 9:29 Gen Zhang 2019-05-21 20:44 ` Kees Cook 0 siblings, 1 reply; 12+ messages in thread From: Gen Zhang @ 2019-05-21 9:29 UTC (permalink / raw) To: keescook; +Cc: linux-kernel In function con_insert_unipair(), when allocation for p2 and p1[n] fails, ENOMEM is returned, but previously allocated p1 is not freed, remains as leaking memory. Thus we should free p1 as well when this allocation fails. Signed-off-by: Gen Zhang <blackgod016574@gmail.com> --- diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c index b28aa0d..47fbd73 100644 --- a/drivers/tty/vt/consolemap.c +++ b/drivers/tty/vt/consolemap.c @@ -489,7 +489,10 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) p2 = p1[n = (unicode >> 6) & 0x1f]; if (!p2) { p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); - if (!p2) return -ENOMEM; + if (!p2) { + kfree(p1); + return -ENOMEM; + } memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ } ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-21 9:29 [PATCH] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c Gen Zhang @ 2019-05-21 20:44 ` Kees Cook 2019-05-22 1:50 ` Gen Zhang 0 siblings, 1 reply; 12+ messages in thread From: Kees Cook @ 2019-05-21 20:44 UTC (permalink / raw) To: Gen Zhang, Greg Kroah-Hartman; +Cc: linux-kernel On Tue, May 21, 2019 at 05:29:35PM +0800, Gen Zhang wrote: > In function con_insert_unipair(), when allocation for p2 and p1[n] > fails, ENOMEM is returned, but previously allocated p1 is not freed, > remains as leaking memory. Thus we should free p1 as well when this > allocation fails. > > Signed-off-by: Gen Zhang <blackgod016574@gmail.com> > > --- > diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c > index b28aa0d..47fbd73 100644 > --- a/drivers/tty/vt/consolemap.c > +++ b/drivers/tty/vt/consolemap.c > @@ -489,7 +489,10 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) > p2 = p1[n = (unicode >> 6) & 0x1f]; > if (!p2) { > p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); > - if (!p2) return -ENOMEM; > + if (!p2) { > + kfree(p1); > + return -ENOMEM; > + } This doesn't look safe to me: p->uni_pgdir[n] will still have a handle to the freed memory, won't it? (And please direct these patches to Greg, as he's the current maintainer; I'm happy to stay CCed, of course.) -Kees > memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ > } > -- Kees Cook ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-21 20:44 ` Kees Cook @ 2019-05-22 1:50 ` Gen Zhang 2019-05-22 20:54 ` Kees Cook 0 siblings, 1 reply; 12+ messages in thread From: Gen Zhang @ 2019-05-22 1:50 UTC (permalink / raw) To: Kees Cook; +Cc: gregkh, linux-kernel On Tue, May 21, 2019 at 01:44:33PM -0700, Kees Cook wrote: > This doesn't look safe to me: p->uni_pgdir[n] will still have a handle > to the freed memory, won't it? > Thanks for your reply, Kees! I think you are right. Maybe we should do this: kfree(p1); p->uni_pgdir[n] = NULL; Is this correct? > (And please direct these patches to Greg, as he's the current > maintainer; I'm happy to stay CCed, of course.) > I will follow your suggestions, thanks! Gen > -Kees > > > memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ > > } > > > > -- > Kees Cook ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-22 1:50 ` Gen Zhang @ 2019-05-22 20:54 ` Kees Cook 2019-05-23 0:29 ` Gen Zhang 2019-05-23 0:34 ` [PATCH v2] " Gen Zhang 0 siblings, 2 replies; 12+ messages in thread From: Kees Cook @ 2019-05-22 20:54 UTC (permalink / raw) To: Gen Zhang; +Cc: gregkh, linux-kernel On Wed, May 22, 2019 at 09:50:55AM +0800, Gen Zhang wrote: > On Tue, May 21, 2019 at 01:44:33PM -0700, Kees Cook wrote: > > This doesn't look safe to me: p->uni_pgdir[n] will still have a handle > > to the freed memory, won't it? > > > Thanks for your reply, Kees! > I think you are right. Maybe we should do this: > kfree(p1); > p->uni_pgdir[n] = NULL; > Is this correct? That's what I'm not sure about. I *think* so, from reading the code, but I'd love to have Greg (or someone more familiar with the code) to double-check this. Otherwise, yeah, this looks right. Please send a v2 and we can debate the correctness there, if it turns out to be wrong. :) -- Kees Cook ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-22 20:54 ` Kees Cook @ 2019-05-23 0:29 ` Gen Zhang 2019-05-23 0:34 ` [PATCH v2] " Gen Zhang 1 sibling, 0 replies; 12+ messages in thread From: Gen Zhang @ 2019-05-23 0:29 UTC (permalink / raw) To: Kees Cook; +Cc: linux-kernel On Wed, May 22, 2019 at 01:54:47PM -0700, Kees Cook wrote: > On Wed, May 22, 2019 at 09:50:55AM +0800, Gen Zhang wrote: > > On Tue, May 21, 2019 at 01:44:33PM -0700, Kees Cook wrote: > > > This doesn't look safe to me: p->uni_pgdir[n] will still have a handle > > > to the freed memory, won't it? > > > > > Thanks for your reply, Kees! > > I think you are right. Maybe we should do this: > > kfree(p1); > > p->uni_pgdir[n] = NULL; > > Is this correct? > > That's what I'm not sure about. I *think* so, from reading the code, but > I'd love to have Greg (or someone more familiar with the code) to > double-check this. > > Otherwise, yeah, this looks right. Please send a v2 and we can debate > the correctness there, if it turns out to be wrong. :) > > -- > Kees Cook Thanks for your suggestions, Kees. I follow your guidance and work on resubmitting a patch. Thanks Gen ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-22 20:54 ` Kees Cook 2019-05-23 0:29 ` Gen Zhang @ 2019-05-23 0:34 ` Gen Zhang 2019-05-23 16:54 ` Kees Cook 1 sibling, 1 reply; 12+ messages in thread From: Gen Zhang @ 2019-05-23 0:34 UTC (permalink / raw) To: Kees Cook, jslaby; +Cc: linux-kernel In function con_insert_unipair(), when allocation for p2 and p1[n] fails, ENOMEM is returned, but previously allocated p1 is not freed, remains as leaking memory. Thus we should free p1 as well when this allocation fails. Signed-off-by: Gen Zhang <blackgod016574@gmail.com> --- diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c index b28aa0d..79fcc96 100644 --- a/drivers/tty/vt/consolemap.c +++ b/drivers/tty/vt/consolemap.c @@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) p2 = p1[n = (unicode >> 6) & 0x1f]; if (!p2) { p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); - if (!p2) return -ENOMEM; + if (!p2) { + kfree(p1); + p->uni_pgdir[n] = NULL; + return -ENOMEM; + } memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ } --- ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-23 0:34 ` [PATCH v2] " Gen Zhang @ 2019-05-23 16:54 ` Kees Cook 2019-05-24 2:14 ` Gen Zhang ` (2 more replies) 0 siblings, 3 replies; 12+ messages in thread From: Kees Cook @ 2019-05-23 16:54 UTC (permalink / raw) To: Gen Zhang, Greg KH; +Cc: jslaby, linux-kernel On Thu, May 23, 2019 at 08:34:52AM +0800, Gen Zhang wrote: > In function con_insert_unipair(), when allocation for p2 and p1[n] > fails, ENOMEM is returned, but previously allocated p1 is not freed, > remains as leaking memory. Thus we should free p1 as well when this > allocation fails. > > Signed-off-by: Gen Zhang <blackgod016574@gmail.com> As far as I can see this is correct, as it's just restoring the prior state before the p1 allocation. Reviewed-by: Kees Cook <keescook@chromium.org> > --- > diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c > index b28aa0d..79fcc96 100644 > --- a/drivers/tty/vt/consolemap.c > +++ b/drivers/tty/vt/consolemap.c > @@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) > p2 = p1[n = (unicode >> 6) & 0x1f]; > if (!p2) { > p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); > - if (!p2) return -ENOMEM; > + if (!p2) { > + kfree(p1); > + p->uni_pgdir[n] = NULL; > + return -ENOMEM; > + } > memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ > } > > --- -- Kees Cook ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-23 16:54 ` Kees Cook @ 2019-05-24 2:14 ` Gen Zhang 2019-05-24 2:19 ` [PATCH v2] consolemap: Fix a memory leaking bug in con_insert_unipair() Gen Zhang 2019-05-24 9:37 ` [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c Jon Hunter 2 siblings, 0 replies; 12+ messages in thread From: Gen Zhang @ 2019-05-24 2:14 UTC (permalink / raw) To: Kees Cook; +Cc: linux-kernel On Thu, May 23, 2019 at 09:54:18AM -0700, Kees Cook wrote: > On Thu, May 23, 2019 at 08:34:52AM +0800, Gen Zhang wrote: > > In function con_insert_unipair(), when allocation for p2 and p1[n] > > fails, ENOMEM is returned, but previously allocated p1 is not freed, > > remains as leaking memory. Thus we should free p1 as well when this > > allocation fails. > > > > Signed-off-by: Gen Zhang <blackgod016574@gmail.com> > > As far as I can see this is correct, as it's just restoring the prior > state before the p1 allocation. > > Reviewed-by: Kees Cook <keescook@chromium.org> > Thanks for your review, Kees! Thanks Gen > > --- > > diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c > > index b28aa0d..79fcc96 100644 > > --- a/drivers/tty/vt/consolemap.c > > +++ b/drivers/tty/vt/consolemap.c > > @@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) > > p2 = p1[n = (unicode >> 6) & 0x1f]; > > if (!p2) { > > p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); > > - if (!p2) return -ENOMEM; > > + if (!p2) { > > + kfree(p1); > > + p->uni_pgdir[n] = NULL; > > + return -ENOMEM; > > + } > > memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ > > } > > > > --- > > -- > Kees Cook ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v2] consolemap: Fix a memory leaking bug in con_insert_unipair() 2019-05-23 16:54 ` Kees Cook 2019-05-24 2:14 ` Gen Zhang @ 2019-05-24 2:19 ` Gen Zhang 2019-05-24 8:02 ` Greg KH 2019-05-24 9:37 ` [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c Jon Hunter 2 siblings, 1 reply; 12+ messages in thread From: Gen Zhang @ 2019-05-24 2:19 UTC (permalink / raw) To: jslaby; +Cc: keescook, khorenko, linux-kernel In function con_insert_unipair(), when allocation for p2 and p1[n] fails, ENOMEM is returned, but previously allocated p1 is not freed, remains as leaking memory. Thus we should free p1 as well when this allocation fails. Signed-off-by: Gen Zhang <blackgod016574@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> --- diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c index b28aa0d..79fcc96 100644 --- a/drivers/tty/vt/consolemap.c +++ b/drivers/tty/vt/consolemap.c @@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) p2 = p1[n = (unicode >> 6) & 0x1f]; if (!p2) { p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); - if (!p2) return -ENOMEM; + if (!p2) { + kfree(p1); + p->uni_pgdir[n] = NULL; + return -ENOMEM; + } memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ } --- ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v2] consolemap: Fix a memory leaking bug in con_insert_unipair() 2019-05-24 2:19 ` [PATCH v2] consolemap: Fix a memory leaking bug in con_insert_unipair() Gen Zhang @ 2019-05-24 8:02 ` Greg KH 0 siblings, 0 replies; 12+ messages in thread From: Greg KH @ 2019-05-24 8:02 UTC (permalink / raw) To: Gen Zhang; +Cc: jslaby, keescook, khorenko, linux-kernel On Fri, May 24, 2019 at 10:19:32AM +0800, Gen Zhang wrote: > In function con_insert_unipair(), when allocation for p2 and p1[n] > fails, ENOMEM is returned, but previously allocated p1 is not freed, > remains as leaking memory. Thus we should free p1 as well when this > allocation fails. > > Signed-off-by: Gen Zhang <blackgod016574@gmail.com> > Reviewed-by: Kees Cook <keescook@chromium.org> Any reason you keep dropping me from this thread? It's as if you don't want me to apply the patch :( greg k-h ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-23 16:54 ` Kees Cook 2019-05-24 2:14 ` Gen Zhang 2019-05-24 2:19 ` [PATCH v2] consolemap: Fix a memory leaking bug in con_insert_unipair() Gen Zhang @ 2019-05-24 9:37 ` Jon Hunter 2019-05-25 6:04 ` Kees Cook 2 siblings, 1 reply; 12+ messages in thread From: Jon Hunter @ 2019-05-24 9:37 UTC (permalink / raw) To: Kees Cook, Gen Zhang, Greg KH; +Cc: jslaby, linux-kernel Kees, On 23/05/2019 17:54, Kees Cook wrote: > On Thu, May 23, 2019 at 08:34:52AM +0800, Gen Zhang wrote: >> In function con_insert_unipair(), when allocation for p2 and p1[n] >> fails, ENOMEM is returned, but previously allocated p1 is not freed, >> remains as leaking memory. Thus we should free p1 as well when this >> allocation fails. >> >> Signed-off-by: Gen Zhang <blackgod016574@gmail.com> > > As far as I can see this is correct, as it's just restoring the prior > state before the p1 allocation. Are you sure this is correct? It looks like p1 is only allocated if p->uni_pgdir[n = unicode >> 11] == NULL. I only mention this because I have seen a few patches from Gen today regarding memory leaks and devm_kzalloc() that are not correct. > Reviewed-by: Kees Cook <keescook@chromium.org> > >> --- >> diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c >> index b28aa0d..79fcc96 100644 >> --- a/drivers/tty/vt/consolemap.c >> +++ b/drivers/tty/vt/consolemap.c >> @@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) >> p2 = p1[n = (unicode >> 6) & 0x1f]; >> if (!p2) { >> p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); >> - if (!p2) return -ENOMEM; >> + if (!p2) { >> + kfree(p1); >> + p->uni_pgdir[n] = NULL; >> + return -ENOMEM; >> + } >> memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ >> } >> >> --- Cheers Jon -- nvpublic ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c 2019-05-24 9:37 ` [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c Jon Hunter @ 2019-05-25 6:04 ` Kees Cook 0 siblings, 0 replies; 12+ messages in thread From: Kees Cook @ 2019-05-25 6:04 UTC (permalink / raw) To: Jon Hunter, Greg KH; +Cc: Gen Zhang, jslaby, linux-kernel On Fri, May 24, 2019 at 10:37:59AM +0100, Jon Hunter wrote: > Kees, > > On 23/05/2019 17:54, Kees Cook wrote: > > On Thu, May 23, 2019 at 08:34:52AM +0800, Gen Zhang wrote: > >> In function con_insert_unipair(), when allocation for p2 and p1[n] > >> fails, ENOMEM is returned, but previously allocated p1 is not freed, > >> remains as leaking memory. Thus we should free p1 as well when this > >> allocation fails. > >> > >> Signed-off-by: Gen Zhang <blackgod016574@gmail.com> > > > > As far as I can see this is correct, as it's just restoring the prior > > state before the p1 allocation. > > Are you sure this is correct? It looks like p1 is only allocated if > p->uni_pgdir[n = unicode >> 11] == NULL. Thanks, yes, I looked more closely, and this is wrong. It's probably fine to leave it as it was (since it appears to just be allocating on demand). If we really want to restore the state on failure, we also can't re-use "n", which is no longer valid. Here, I think, would be a complete patch to check for allocation and use a separate index for the other array: diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c index b28aa0d289f8..5f77cffc53b8 100644 --- a/drivers/tty/vt/consolemap.c +++ b/drivers/tty/vt/consolemap.c @@ -474,7 +474,8 @@ static int con_unify_unimap(struct vc_data *conp, struct uni_pagedir *p) static int con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) { - int i, n; + int i, n, high; + bool p1_alloced = false; u16 **p1, *p2; p1 = p->uni_pgdir[n = unicode >> 11]; @@ -482,14 +483,22 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) p1 = p->uni_pgdir[n] = kmalloc_array(32, sizeof(u16 *), GFP_KERNEL); if (!p1) return -ENOMEM; + p1_alloced = true; for (i = 0; i < 32; i++) p1[i] = NULL; } - p2 = p1[n = (unicode >> 6) & 0x1f]; + p2 = p1[high = (unicode >> 6) & 0x1f]; if (!p2) { - p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); - if (!p2) return -ENOMEM; + p2 = p1[high] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); + if (!p2) { + if (p1_alloced) { + kfree(p1); + p->uni_pgdir[n] = NULL; + } + return -ENOMEM; + } + memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ } But, frankly, probably the patch should just be removed... -Kees > > I only mention this because I have seen a few patches from Gen today > regarding memory leaks and devm_kzalloc() that are not correct. > > > Reviewed-by: Kees Cook <keescook@chromium.org> > > > >> --- > >> diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c > >> index b28aa0d..79fcc96 100644 > >> --- a/drivers/tty/vt/consolemap.c > >> +++ b/drivers/tty/vt/consolemap.c > >> @@ -489,7 +489,11 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos) > >> p2 = p1[n = (unicode >> 6) & 0x1f]; > >> if (!p2) { > >> p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); > >> - if (!p2) return -ENOMEM; > >> + if (!p2) { > >> + kfree(p1); > >> + p->uni_pgdir[n] = NULL; > >> + return -ENOMEM; > >> + } > >> memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ > >> } > >> > >> --- > > Cheers > Jon > > -- > nvpublic -- Kees Cook ^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2019-05-25 6:04 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-05-21 9:29 [PATCH] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c Gen Zhang 2019-05-21 20:44 ` Kees Cook 2019-05-22 1:50 ` Gen Zhang 2019-05-22 20:54 ` Kees Cook 2019-05-23 0:29 ` Gen Zhang 2019-05-23 0:34 ` [PATCH v2] " Gen Zhang 2019-05-23 16:54 ` Kees Cook 2019-05-24 2:14 ` Gen Zhang 2019-05-24 2:19 ` [PATCH v2] consolemap: Fix a memory leaking bug in con_insert_unipair() Gen Zhang 2019-05-24 8:02 ` Greg KH 2019-05-24 9:37 ` [PATCH v2] consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c Jon Hunter 2019-05-25 6:04 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).