aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2010-04-20 17:41:18 -0400
committerJames Morris <jmorris@namei.org>2010-04-20 19:20:35 -0400
commiteff30363c0b8b057f773108589bfd8881659fe74 (patch)
tree6ae631c2fa01174a24da347b68fc25f0c350bc2b
parent05ce7bfe547c9fa967d9cab6c37867a9cb6fb3fa (diff)
CRED: Fix double free in prepare_usermodehelper_creds() error handling
Patch 570b8fb505896e007fd3bb07573ba6640e51851d: Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Date: Tue Mar 30 00:04:00 2010 +0100 Subject: CRED: Fix memory leak in error handling attempts to fix a memory leak in the error handling by making the offending return statement into a jump down to the bottom of the function where a kfree(tgcred) is inserted. This is, however, incorrect, as it does a kfree() after doing put_cred() if security_prepare_creds() fails. That will result in a double free if 'error' is jumped to as put_cred() will also attempt to free the new tgcred record by virtue of it being pointed to by the new cred record. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--kernel/cred.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/cred.c b/kernel/cred.c
index e1dbe9eef800..ce1a52b9e8a3 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
398 398
399error: 399error:
400 put_cred(new); 400 put_cred(new);
401 return NULL;
402
401free_tgcred: 403free_tgcred:
402#ifdef CONFIG_KEYS 404#ifdef CONFIG_KEYS
403 kfree(tgcred); 405 kfree(tgcred);