diff options
author | David Howells <dhowells@redhat.com> | 2010-04-20 17:41:18 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-04-20 19:20:35 -0400 |
commit | eff30363c0b8b057f773108589bfd8881659fe74 (patch) | |
tree | 6ae631c2fa01174a24da347b68fc25f0c350bc2b /kernel/cred.c | |
parent | 05ce7bfe547c9fa967d9cab6c37867a9cb6fb3fa (diff) |
CRED: Fix double free in prepare_usermodehelper_creds() error handling
Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue Mar 30 00:04:00 2010 +0100
Subject: CRED: Fix memory leak in error handling
attempts to fix a memory leak in the error handling by making the offending
return statement into a jump down to the bottom of the function where a
kfree(tgcred) is inserted.
This is, however, incorrect, as it does a kfree() after doing put_cred() if
security_prepare_creds() fails. That will result in a double free if 'error'
is jumped to as put_cred() will also attempt to free the new tgcred record by
virtue of it being pointed to by the new cred record.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'kernel/cred.c')
-rw-r--r-- | kernel/cred.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/cred.c b/kernel/cred.c index e1dbe9eef800..ce1a52b9e8a3 100644 --- a/kernel/cred.c +++ b/kernel/cred.c | |||
@@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void) | |||
398 | 398 | ||
399 | error: | 399 | error: |
400 | put_cred(new); | 400 | put_cred(new); |
401 | return NULL; | ||
402 | |||
401 | free_tgcred: | 403 | free_tgcred: |
402 | #ifdef CONFIG_KEYS | 404 | #ifdef CONFIG_KEYS |
403 | kfree(tgcred); | 405 | kfree(tgcred); |