Re: [PATCH] CRED: Fix double free in prepare_usermodehelper_creds()error handling
From: Andrew Morton
Date: Thu Apr 22 2010 - 14:23:31 EST
On Tue, 20 Apr 2010 22:41:18 +0100
David Howells <dhowells@xxxxxxxxxx> wrote:
> Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
>
> Author: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
> Date: Tue Mar 30 00:04:00 2010 +0100
> Subject: CRED: Fix memory leak in error handling
>
> attempts to fix a memory leak in the error handling by making the offending
> return statement into a jump down to the bottom of the function where a
> kfree(tgcred) is inserted.
>
> This is, however, incorrect, as it does a kfree() after doing put_cred() if
> security_prepare_creds() fails. That will result in a double free if 'error'
> is jumped to as put_cred() will also attempt to free the new tgcred record by
> virtue of it being pointed to by the new cred record.
>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> ---
>
> kernel/cred.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e1dbe9e..ce1a52b 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
>
> error:
> put_cred(new);
> + return NULL;
> +
> free_tgcred:
> #ifdef CONFIG_KEYS
> kfree(tgcred);
Oleg's umh-creds-kill-subprocess_info-cred-logic.patch removes
prepare_usermodehelper_creds() altogether. An option would have been
to promote that into 2.6.34?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/