mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-05 00:20:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
YueHaibing dd6734e179 exec: Fix mem leak in kernel_read_file 
commit f612acfae8 upstream.

syzkaller report this:
BUG: memory leak
unreferenced object 0xffffc9000488d000 (size 9195520):
  comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
  hex dump (first 32 bytes):
    ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
    02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
  backtrace:
    [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
    [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
    [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
    [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
    [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
    [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
    [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
    [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000241f889b>] 0xffffffffffffffff

It should goto 'out_free' lable to free allocated buf while kernel_read
fails.

Fixes: 39d637af5a ("vfs: forbid write access when reading a file into memory")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Thibaut Sautereau <thibaut@sautereau.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-13 14:04:55 -07:00
..
9p v9fs_dir_readdir: fix double-free on p9stat_read error 2018-12-01 09:44:18 +01:00
adfs
affs affs_lookup(): close a race with affs_remove_link() 2018-05-30 07:50:16 +02:00
afs afs: Fix abort on signal while waiting for call completion 2017-12-20 10:07:25 +01:00
autofs4 autofs: fix autofs_sbi() does not check super block type 2018-09-19 22:47:16 +02:00
befs
bfs bfs: add sanity check at bfs_fill_super() 2018-12-01 09:44:19 +01:00
btrfs btrfs: Remove false alert when fiemap range is smaller than on-disk extent 2019-02-23 09:05:59 +01:00
cachefiles fscache, cachefiles: remove redundant variable 'cache' 2018-12-17 09:38:34 +01:00
ceph ceph: avoid repeatedly adding inode to mdsc->snap_flush_list 2019-02-27 10:06:58 +01:00
cifs cifs: Limit memory used by lock request calls to a page 2019-02-20 10:18:30 +01:00
coda coda: fix 'kernel memory exposure attempt' in fsync 2017-11-24 08:33:42 +01:00
configfs configfs: replace strncpy with memcpy 2018-11-21 09:26:03 +01:00
cramfs Cramfs: fix abad comparison when wrap-arounds occur 2018-11-13 11:17:03 -08:00
crypto fscrypt: use unbound workqueue for decryption 2018-08-03 07:55:20 +02:00
debugfs debugfs: fix debugfs_rename parameter checking 2019-02-15 08:07:38 +01:00
devpts
dlm dlm: Don't swamp the CPU with callbacks queued during recovery 2019-02-12 19:44:51 +01:00
ecryptfs do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:50:16 +02:00
efivarfs
efs
exofs fs/exofs: fix potential memory leak in mount option parsing 2018-11-27 16:09:38 +01:00
exportfs exportfs: do not read dentry after free 2018-12-17 09:38:33 +01:00
ext2 ext2: fix potential use after free 2018-12-05 19:42:40 +01:00
ext4 ext4: avoid kernel warning when writing the superblock to a dead device 2019-01-16 22:12:33 +01:00
f2fs f2fs: fix sbi->extent_list corruption issue 2019-02-12 19:44:58 +01:00
fat fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() 2018-11-10 07:42:56 -08:00
freevxfs
fscache fscache: fix race between enablement and dropping of object 2018-12-17 09:38:34 +01:00
fuse fuse: handle zero sized retrieve correctly 2019-02-12 19:45:00 +01:00
gfs2 gfs2: Revert "Fix loop in gfs2_rbm_find" 2019-02-06 17:33:28 +01:00
hfs hfs: do not free node before using 2018-12-17 09:38:35 +01:00
hfsplus hfsplus: do not free node before using 2018-12-17 09:38:35 +01:00
hostfs
hpfs
hugetlbfs hugetlbfs: fix races and page leaks during migration 2019-03-13 14:04:54 -07:00
isofs isofs: fix timestamps beyond 2027 2017-11-30 08:39:04 +00:00
jbd2 jbd2: fix use after free in jbd2_log_do_checkpoint() 2018-11-13 11:16:55 -08:00
jffs2 jffs2: Fix use of uninitialized delayed_work, lockdep breakage 2019-01-26 09:38:33 +01:00
jfs jfs: Fix inconsistency between memory allocation and ea_buf->max_size 2018-08-09 12:18:00 +02:00
kernfs kernfs: Replace strncpy with memcpy 2018-12-08 13:05:05 +01:00
lockd lockd: fix access beyond unterminated strings in prints 2018-11-13 11:17:02 -08:00
logfs
minix
ncpfs ncpfs: fix build warning of strncpy 2019-03-13 14:04:52 -07:00
nfs NFS: nfs_compare_mount_options always compare auth flavors. 2019-02-12 19:44:57 +01:00
nfs_common lockd: fix "list_add double add" caused by legacy signal interface 2018-02-03 17:05:38 +01:00
nfsd nfsd4: catch some false session retries 2019-02-15 08:07:39 +01:00
nilfs2 do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:50:16 +02:00
nls
notify fanotify: fix handling of events on child sub-directory 2019-02-06 17:33:30 +01:00
ntfs
ocfs2 ocfs2: don't clear bh uptodate for block read 2019-02-12 19:44:58 +01:00
omfs
openpromfs
orangefs orangefs: off by ones in xattr size checks 2018-11-10 07:42:46 -08:00
overlayfs ovl: filter trusted xattr for non-admin 2018-04-13 19:48:12 +02:00
proc proc, oom: do not report alien mms when setting oom_score_adj 2019-02-27 10:06:58 +01:00
pstore pstore/ram: Do not treat empty buffers as valid 2019-01-26 09:38:33 +01:00
qnx4
qnx6
quota fs/quota: Fix spectre gadget in do_quotactl 2018-09-09 20:01:26 +02:00
ramfs
reiserfs reiserfs: propagate errors from fill_with_dentries() properly 2018-11-27 16:09:38 +01:00
romfs
squashfs Squashfs: Compute expected length from inode size rather than block length 2018-09-05 09:20:03 +02:00
sysfs scsi: sysfs: Introduce sysfs_{un,}break_active_protection() 2018-09-05 09:20:10 +02:00
sysv sysv: return 'err' instead of 0 in __sysv_write_inode 2018-12-17 09:38:32 +01:00
tracefs
ubifs ubifs: Handle re-linking of inodes correctly while recovery 2018-12-29 13:40:16 +01:00
udf udf: Fix BUG on corrupted inode 2019-02-12 19:44:55 +01:00
ufs ufs: we need to sync inode before freeing it 2018-11-10 07:42:49 -08:00
xfs xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE 2018-12-08 13:05:15 +01:00
aio.c aio: fix spectre gadget in lookup_ioctx 2018-12-21 14:11:31 +01:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c binfmt_elf: Respect error return from `regset->active' 2018-09-26 08:36:37 +02:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c fs/binfmt_misc.c: do not allow offset overflow 2018-06-26 08:08:09 +08:00
binfmt_script.c Revert "exec: load_script: don't blindly truncate shebang string" 2019-02-15 09:07:33 +01:00
block_dev.c blockdev: Fix livelocks on loop device 2019-01-23 08:10:56 +01:00
buffer.c
char_dev.c
compat.c
compat_binfmt_elf.c binfmt_elf: compat: avoid unused function warning 2018-02-25 11:05:55 +01:00
compat_ioctl.c fs: compat: Remove warning from COMPATIBLE_IOCTL 2018-04-08 12:12:44 +02:00
coredump.c
dax.c fs/dax.c: fix inefficiency in dax_writeback_mapping_range() 2018-02-28 10:18:33 +01:00
dcache.c fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() 2019-02-06 17:33:28 +01:00
dcookies.c
direct-io.c direct-io: allow direct writes to empty inodes 2019-03-05 17:57:05 +01:00
drop_caches.c
eventfd.c
eventpoll.c fs/epoll: drop ovflist branch prediction 2019-02-12 19:44:59 +01:00
exec.c exec: Fix mem leak in kernel_read_file 2019-03-13 14:04:55 -07:00
fcntl.c fs/fcntl: f_setown, avoid undefined behaviour 2018-01-31 12:55:52 +01:00
fhandle.c
file.c
file_table.c
filesystems.c
fs-writeback.c bdi: Fix oops in wb_workfn() 2018-05-16 10:08:42 +02:00
fs_pin.c
fs_struct.c
inode.c Fix up non-directory creation in SGID directories 2018-07-17 11:37:53 +02:00
internal.h
ioctl.c
iomap.c
Kconfig
Kconfig.binfmt
libfs.c libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount 2017-12-09 22:01:51 +01:00
locks.c
Makefile
mbcache.c mbcache: initialize entry->e_referenced in mb_cache_entry_create() 2018-02-22 15:43:48 +01:00
mount.h
mpage.c fs/mpage.c: fix mpage_writepage() for pages with buffers 2017-10-18 09:35:39 +02:00
namei.c namei: allow restricted O_CREAT of FIFOs and regular files 2018-12-01 09:44:25 +01:00
namespace.c mount: Prevent MNT_DETACH from disconnecting locked mounts 2018-11-21 09:26:02 +01:00
no-block.c
nsfs.c nsfs: mark dentry with DCACHE_RCUACCESS 2018-02-17 13:21:15 +01:00
open.c
pipe.c pipe: fix off-by-one error when checking buffer limits 2018-02-17 13:21:18 +01:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c fs: add the fsnotify call to vfs_iter_write 2019-02-06 17:33:26 +01:00
readdir.c
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c
super.c fs: don't scan the inode cache before SB_BORN is set 2019-02-06 17:33:29 +01:00
sync.c
timerfd.c
userfaultfd.c userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE 2017-12-20 10:07:18 +01:00
utimes.c
xattr.c sysfs: Do not return POSIX ACL xattrs via listxattr 2018-10-10 08:53:22 +02:00