tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

staging: p9auth: prevent some oopses and memory leaks

Before all testcases, do:
mknod /dev/caphash c 253 0
mknod /dev/capuse c 253 1

This patch does the following:

1. caphash write of > CAP_NODE_SIZE bytes overruns node_ptr->data
(test: cat /etc/mime.types > /dev/caphash)
2. make sure we don't dereference a NULL cap_devices[0].head
(test: cat serge@root@abab > /dev/capuse)
3. don't let strlen dereference a NULL target_user etc
(test: echo ab > /dev/capuse)
4. Don't leak a bunch of memory in cap_write(). Note that
technically node_ptr is not needed for the capuse write case.
As a result I have a much more extensive patch splitting up
cap_write(), but I thought a smaller patch that is easier to test
and verify would be a better start. To test:
cnt=0
while [ 1 ]; do
echo /etc/mime.types > /dev/capuse
if [ $((cnt%25)) -eq 0 ]; then
head -2 /proc/meminfo
fi
cnt=$((cnt+1))
sleep 0.3
done
Without this patch, it MemFree steadily drops. With the patch,
it does not.

I have *not* tested this driver (with or without these patches)
with factotum or anything - only using the tests described above.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


authored by

Serge E. Hallyn and committed by
Greg Kroah-Hartman f82ebea5 0f51010e

+23 -1
+23 -1
drivers/staging/p9auth/p9auth.c
··· 180 180 if (down_interruptible(&dev->sem)) 181 181 return -ERESTARTSYS; 182 182 183 + user_buf_running = NULL; 184 + hash_str = NULL; 183 185 node_ptr = kmalloc(sizeof(struct cap_node), GFP_KERNEL); 184 186 user_buf = kzalloc(count, GFP_KERNEL); 187 + if (!node_ptr || !user_buf) 188 + goto out; 185 189 186 190 if (copy_from_user(user_buf, buf, count)) { 187 191 retval = -EFAULT; ··· 197 193 * hashed capability supplied by the user to the list of hashes 198 194 */ 199 195 if (0 == iminor(filp->f_dentry->d_inode)) { 196 + if (count > CAP_NODE_SIZE) { 197 + retval = -EINVAL; 198 + goto out; 199 + } 200 200 printk(KERN_INFO "Capability being written to /dev/caphash : \n"); 201 201 hexdump(user_buf, count); 202 202 memcpy(node_ptr->data, user_buf, count); 203 203 list_add(&(node_ptr->list), &(dev->head->list)); 204 + node_ptr = NULL; 204 205 } else { 206 + if (!cap_devices[0].head || 207 + list_empty(&(cap_devices[0].head->list))) { 208 + retval = -EINVAL; 209 + goto out; 210 + } 205 211 /* 206 212 * break the supplied string into tokens with @ as the 207 213 * delimiter If the string is "user1@user2@randomstring" we ··· 222 208 source_user = strsep(&user_buf_running, "@"); 223 209 target_user = strsep(&user_buf_running, "@"); 224 210 rand_str = strsep(&user_buf_running, "@"); 211 + if (!source_user || !target_user || !rand_str) { 212 + retval = -EINVAL; 213 + goto out; 214 + } 225 215 226 216 /* hash the string user1@user2 with rand_str as the key */ 227 217 len = strlen(source_user) + strlen(target_user) + 1; ··· 242 224 retval = -EFAULT; 243 225 goto out; 244 226 } 245 - memcpy(node_ptr->data, result, CAP_NODE_SIZE); 227 + memcpy(node_ptr->data, result, CAP_NODE_SIZE); /* why? */ 246 228 /* Change the process's uid if the hash is present in the 247 229 * list of hashes 248 230 */ ··· 317 299 dev->size = *f_pos; 318 300 319 301 out: 302 + kfree(node_ptr); 303 + kfree(user_buf); 304 + kfree(user_buf_running); 305 + kfree(hash_str); 320 306 up(&dev->sem); 321 307 return retval; 322 308 }