From: Daniel Borkmann <daniel@iogearbox.net>
To: Bill Wendling <morbo@google.com>, Kees Cook <keescook@chromium.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org,
Zhengchao Shao <shaozhengchao@huawei.com>,
Lorenz Bauer <oss@lmb.io>
Subject: Re: [PATCH bpf-next v2 1/3] bpf/verifier: Fix potential memory leak in array reallocation
Date: Tue, 1 Nov 2022 14:46:54 +0100 [thread overview]
Message-ID: <2c6203ac-de2a-607e-0589-0a69f91e0479@iogearbox.net> (raw)
In-Reply-To: <CAGG=3QXYVwQ5pwARdGTenm-mDQn4Tcz6U-=EZ8BDcwBkM5bFfg@mail.gmail.com>
[ +Lorenz ]
On 10/31/22 9:16 PM, Bill Wendling wrote:
> On Fri, Oct 28, 2022 at 7:55 PM Kees Cook <keescook@chromium.org> wrote:
>>
>> If an error (NULL) is returned by krealloc(), callers of realloc_array()
>> were setting their allocation pointers to NULL, but on error krealloc()
>> does not touch the original allocation. This would result in a memory
>> resource leak. Instead, free the old allocation on the error handling
>> path.
>>
>> Cc: Alexei Starovoitov <ast@kernel.org>
>> Cc: Daniel Borkmann <daniel@iogearbox.net>
>> Cc: John Fastabend <john.fastabend@gmail.com>
>> Cc: Andrii Nakryiko <andrii@kernel.org>
>> Cc: Martin KaFai Lau <martin.lau@linux.dev>
>> Cc: Song Liu <song@kernel.org>
>> Cc: Yonghong Song <yhs@fb.com>
>> Cc: KP Singh <kpsingh@kernel.org>
>> Cc: Stanislav Fomichev <sdf@google.com>
>> Cc: Hao Luo <haoluo@google.com>
>> Cc: Jiri Olsa <jolsa@kernel.org>
>> Cc: bpf@vger.kernel.org
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>
> Reviewed-by: Bill Wendling <morbo@google.com>
>
>> ---
>> kernel/bpf/verifier.c | 9 +++++++--
>> 1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 014ee0953dbd..eb8c34db74c7 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -1027,12 +1027,17 @@ static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t
>> */
>> static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size)
>> {
>> + void *new_arr;
>> +
>> if (!new_n || old_n == new_n)
>> goto out;
>>
>> - arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
>> - if (!arr)
>> + new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
>> + if (!new_arr) {
>> + kfree(arr);
>> return NULL;
>> + }
>> + arr = new_arr;
Fyi, I took this fix into bpf tree and improved commit log a bit with the
one from Zhengchao [0] given yours came in first. Fixes tag would have been
nice, I added the c69431aab67a to the commit message while applying.
[0] https://patchwork.kernel.org/project/netdevbpf/patch/20221031070812.339883-1-shaozhengchao@huawei.com/
>> if (new_n > old_n)
>> memset(arr + old_n * size, 0, (new_n - old_n) * size);
>> --
>> 2.34.1
>>
next prev parent reply other threads:[~2022-11-01 13:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-29 2:54 [PATCH bpf-next v2 0/3] bpf/verifier: Use kmalloc_size_roundup() to match ksize() usage Kees Cook
2022-10-29 2:54 ` [PATCH bpf-next v2 1/3] bpf/verifier: Fix potential memory leak in array reallocation Kees Cook
2022-10-31 20:16 ` Bill Wendling
2022-11-01 13:46 ` Daniel Borkmann [this message]
2022-11-15 16:07 ` Lorenz Bauer
2022-10-29 2:54 ` [PATCH bpf-next v2 2/3] bpf/verifier: Use kmalloc_size_roundup() to match ksize() usage Kees Cook
2022-11-01 13:52 ` Daniel Borkmann
2022-11-01 17:01 ` Kees Cook
2022-10-29 2:54 ` [PATCH bpf-next v2 3/3] bpf/verifier: Take advantage of full allocation sizes Kees Cook
2022-10-31 21:53 ` Stanislav Fomichev
2022-11-01 5:23 ` Kees Cook
2022-11-01 13:40 ` [PATCH bpf-next v2 0/3] bpf/verifier: Use kmalloc_size_roundup() to match ksize() usage patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c6203ac-de2a-607e-0589-0a69f91e0479@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=keescook@chromium.org \
--cc=kpsingh@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=morbo@google.com \
--cc=oss@lmb.io \
--cc=sdf@google.com \
--cc=shaozhengchao@huawei.com \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).