Thread (5 messages) 5 messages, 3 authors, 2023-12-27

Re: [PATCH] SUNRPC: fix a memleak in gss_import_v2_context

From: Chuck Lever <hidden>
Date: 2023-12-24 16:57:05
Also in: linux-nfs, lkml

On Sun, Dec 24, 2023 at 04:20:33PM +0800, Zhipeng Lu wrote:
quoted hunk ↗ jump to hunk
The ctx->mech_used.data allocated by kmemdup is not freed in neither
gss_import_v2_context nor it only caller radeon_driver_open_kms.
Thus, this patch reform the last call of gss_import_v2_context to the
gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
formation.

Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
Signed-off-by: Zhipeng Lu <redacted>
---
 net/sunrpc/auth_gss/gss_krb5_mech.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index e31cfdf7eadc..1e54bd63e3f0 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -398,6 +398,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
 	u64 seq_send64;
 	int keylen;
 	u32 time32;
+	int ret;
 
 	p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
 	if (IS_ERR(p))
@@ -450,8 +451,14 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
 	}
 	ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
 
-	return gss_krb5_import_ctx_v2(ctx, gfp_mask);
+	ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
+	if (ret) {
+		p = ERR_PTR(ret);
+		goto out_free;
+	};
 
+out_free:
+	kfree(ctx->mech_used.data);
If the caller's error flow does not invoke
gss_krb5_delete_sec_context(), then I would expect more than just
mech_used.data would be leaked. What if, instead, you changed
gss_krb5_import_sec_context() like this (untested):

471         ret = gss_import_v2_context(p, end, ctx, gfp_mask);
472         memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
473         if (ret) {      
   -                kfree(ctx);                      
   +                gss_krb5_delete_sec_context(ctx);
475                 return ret;
476         }    

Obviously you would need to add a forward declaration of
gss_krb5_import_sec_context() to make this compile. The question
is whether gss_krb5_delete_sec_context() will deal with a partially-
initialized @ctx.

How did you find this leak, and what kind of testing was done to
confirm the fix is safe?

 out_err:
 	return PTR_ERR(p);
 }
-- 
2.34.1
-- 
Chuck Lever
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help