diff options
| author | Oleg Nesterov <oleg@redhat.com> | 2013-07-03 18:08:16 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-07-03 19:08:02 -0400 |
| commit | e7fd1549aeb83e34ee0955cdf5dee5d4088508f3 (patch) | |
| tree | ff08986f52f3e870205001290d7d1df5352558b8 /fs | |
| parent | 7f57cfa4e2aa29fabe69e41529fd26578adc9b58 (diff) | |
coredump: format_corename() can leak cn->corename
do_coredump() assumes that format_corename() can only fail if
expand_corename() fails and frees cn->corename. This is not true, for
example cn_print_exe_file() can fail and in this case nobody frees
cn->corename.
Change do_coredump() to always do kfree(cn->corename) after it calls
format_corename() (NULL is fine), change expand_corename() to do nothing
if kmalloc() fails.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Colin Walters <walters@verbum.org>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Lennart Poettering <mzxreary@0pointer.de>
Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/coredump.c | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/fs/coredump.c b/fs/coredump.c index dafafbafa731..11bc368e0017 100644 --- a/fs/coredump.c +++ b/fs/coredump.c | |||
| @@ -58,16 +58,14 @@ static atomic_t call_count = ATOMIC_INIT(1); | |||
| 58 | 58 | ||
| 59 | static int expand_corename(struct core_name *cn) | 59 | static int expand_corename(struct core_name *cn) |
| 60 | { | 60 | { |
| 61 | char *old_corename = cn->corename; | 61 | int size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count); |
| 62 | char *corename = krealloc(cn->corename, size, GFP_KERNEL); | ||
| 62 | 63 | ||
| 63 | cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count); | 64 | if (!corename) |
| 64 | cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL); | ||
| 65 | |||
| 66 | if (!cn->corename) { | ||
| 67 | kfree(old_corename); | ||
| 68 | return -ENOMEM; | 65 | return -ENOMEM; |
| 69 | } | ||
| 70 | 66 | ||
| 67 | cn->size = size; | ||
| 68 | cn->corename = corename; | ||
| 71 | return 0; | 69 | return 0; |
| 72 | } | 70 | } |
| 73 | 71 | ||
| @@ -157,10 +155,9 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm) | |||
| 157 | int pid_in_pattern = 0; | 155 | int pid_in_pattern = 0; |
| 158 | int err = 0; | 156 | int err = 0; |
| 159 | 157 | ||
| 158 | cn->used = 0; | ||
| 160 | cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count); | 159 | cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count); |
| 161 | cn->corename = kmalloc(cn->size, GFP_KERNEL); | 160 | cn->corename = kmalloc(cn->size, GFP_KERNEL); |
| 162 | cn->used = 0; | ||
| 163 | |||
| 164 | if (!cn->corename) | 161 | if (!cn->corename) |
| 165 | return -ENOMEM; | 162 | return -ENOMEM; |
| 166 | 163 | ||
| @@ -549,7 +546,7 @@ void do_coredump(siginfo_t *siginfo) | |||
| 549 | if (ispipe < 0) { | 546 | if (ispipe < 0) { |
| 550 | printk(KERN_WARNING "format_corename failed\n"); | 547 | printk(KERN_WARNING "format_corename failed\n"); |
| 551 | printk(KERN_WARNING "Aborting core\n"); | 548 | printk(KERN_WARNING "Aborting core\n"); |
| 552 | goto fail_corename; | 549 | goto fail_unlock; |
| 553 | } | 550 | } |
| 554 | 551 | ||
| 555 | if (cprm.limit == 1) { | 552 | if (cprm.limit == 1) { |
| @@ -669,7 +666,6 @@ fail_dropcount: | |||
| 669 | atomic_dec(&core_dump_count); | 666 | atomic_dec(&core_dump_count); |
| 670 | fail_unlock: | 667 | fail_unlock: |
| 671 | kfree(cn.corename); | 668 | kfree(cn.corename); |
| 672 | fail_corename: | ||
| 673 | coredump_finish(mm, core_dumped); | 669 | coredump_finish(mm, core_dumped); |
| 674 | revert_creds(old_cred); | 670 | revert_creds(old_cred); |
| 675 | fail_creds: | 671 | fail_creds: |