| Message ID | 20221122115122.13937-1-tiwai@suse.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2161329wrr;
Tue, 22 Nov 2022 04:09:40 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf65Nv+U042SmFsg8Wu8CCWgqbxzpOasA3xPy3NLkufnAeLNl/OKxY3GBeoj8/1U9U5EXvXH
X-Received: by 2002:a17:907:cf84:b0:78d:4795:ff1f with SMTP id
ux4-20020a170907cf8400b0078d4795ff1fmr20213542ejc.331.1669118980233;
Tue, 22 Nov 2022 04:09:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669118980; cv=none;
d=google.com; s=arc-20160816;
b=uY0BrXJITb3DLizIvzgwVg3DdTBnkOid30IRQ8JRN/hbvDh/hUeUbPo5IlQjVO5BF5
lDAU+4XTJ5BWpAJVMyYeTeMugnIGx9R9AOWg8lxz8rUbdN4MJw9+X8QxTf+crxICTZrx
aP2V8xVZ0Mq/sLbKGU7+bIJmwEJBgnOEqpwnaqSZY6etQ/XXycSoSfUaQpjkIgUKYga/
PuYM4YUen25XX2qg95DRyokZoOVCvPhKK8MMsK7L28gp54yX0mUkHpQhpHKdu0g5semI
8bRu57WiGQz2T93s9XlUOzt8bi7XeznEEozRwa03ijm9f9lpZSyVDKhVR+ofpZiKFfRB
koFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
bh=pizNmII+kH90P+wFkDN3Lxn3VPpzAwqATNwsGxqqK60=;
b=TCncaBo6c+AFzJsgYg3qt34AFFlrbLvjuCeVj4Pfu7cIFuBfD/+4mp4+dRE2s3pLgL
29q/HjtNULugFCxR+CkXh1SKdA2HmIKb6ob1a8LLJvF5/Co+s8cyNwIsVRsZLX9XEMZ6
u9eFzmEhztZU8fxXY35ZIweqV9UI/PNBwrh4jmoinbN7dzAgy+ERl+rRnvccxmg2q/vg
Jt1AFEwgqIjapr+J5nVnWq4Fb844VlwREbDta5Th7poA4S8L4MjDvsSZ3qbSJ5+6FcN6
vc4/+Fr7lqYdR7RXdpYLi0j6nh/T+gvgwIHPBRMnGIQ45fj+zHxA/BeRWrrpbGaYHNye
9pNg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=XmiMVJbI;
dkim=neutral (no key) header.i=@suse.de;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ss28-20020a170907c01c00b007ad79c4f58fsi9871033ejc.120.2022.11.22.04.09.07;
Tue, 22 Nov 2022 04:09:40 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=XmiMVJbI;
dkim=neutral (no key) header.i=@suse.de;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233407AbiKVLv3 (ORCPT <rfc822;cjcooper78@gmail.com> + 99 others);
Tue, 22 Nov 2022 06:51:29 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40358 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232465AbiKVLv1 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 22 Nov 2022 06:51:27 -0500
Received: from smtp-out2.suse.de (smtp-out2.suse.de
[IPv6:2001:67c:2178:6::1d])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21D4D178A4
for <linux-kernel@vger.kernel.org>;
Tue, 22 Nov 2022 03:51:27 -0800 (PST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out2.suse.de (Postfix) with ESMTPS id 0C41C1F86B;
Tue, 22 Nov 2022 11:51:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_rsa;
t=1669117885;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=pizNmII+kH90P+wFkDN3Lxn3VPpzAwqATNwsGxqqK60=;
b=XmiMVJbIHB7sx62hDnd/0pdiGvcygkdqeYqiGgXH0Zc0SF57nqZdyw9CavqXcxSqJ4xfhG
U7243p+Ce6aUOzTIJUmN8pZKGI9PcuqgsrDvRPJBz5f4RzIpOjEvJjx8faLYfC/uUg9wT4
5tL+jWQUkZsuVrPsRwqU2fE8ioGXOxk=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_ed25519; t=1669117885;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=pizNmII+kH90P+wFkDN3Lxn3VPpzAwqATNwsGxqqK60=;
b=TgUyRD1O+BUA8QsRUaves7GWLZEQQIziOiEA6Syxj4CU2s2wHksssPiSoHxodOIEYGse42
1S56pgfAPrwJolBA==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id CDDE013AA1;
Tue, 22 Nov 2022 11:51:24 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap2.suse-dmz.suse.de with ESMTPSA
id ecJ2Mby3fGOQEgAAMHmgww
(envelope-from <tiwai@suse.de>); Tue, 22 Nov 2022 11:51:24 +0000
From: Takashi Iwai <tiwai@suse.de>
To: x86@kernel.org
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Baoquan He <bhe@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH] x86/kexec: Fix double-free of elf header buffer
Date: Tue, 22 Nov 2022 12:51:22 +0100
Message-Id: <20221122115122.13937-1-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1750198103793349046?=
X-GMAIL-MSGID: =?utf-8?q?1750198103793349046?=
|
| Series |
x86/kexec: Fix double-free of elf header buffer
|
|
Commit Message
Takashi Iwai
Nov. 22, 2022, 11:51 a.m. UTC
The recent fix for memory leaks forgot to clear the error path that
already does vfree() for the elf headers. This may result in a
double-free.
Drop the superfluous vfree() call at the error path of
crash_load_segments().
Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
arch/x86/kernel/crash.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Comments
CC kexec@lists.infradead.org On 11/22/22 at 12:51pm, Takashi Iwai wrote: > The recent fix for memory leaks forgot to clear the error path that > already does vfree() for the elf headers. This may result in a > double-free. Good catch. The log can be improved to make the issue more obvious. How about this: ====== With commit b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer"), freeing up image->elf_headers in error path of crash_load_segments() is not needed, because later kimage_file_post_load_cleanup() will cover it. And not clearing it could result in a double-free. Drop the superfluous vfree() call at the error path of crash_load_segments(). ======== Other than the log part, LGTM. Thanks. Acked-by: Baoquan He <bhe@redhat.com> > > Drop the superfluous vfree() call at the error path of > crash_load_segments(). > > Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > arch/x86/kernel/crash.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c > index 9730c88530fc..305514431f26 100644 > --- a/arch/x86/kernel/crash.c > +++ b/arch/x86/kernel/crash.c > @@ -401,10 +401,8 @@ int crash_load_segments(struct kimage *image) > kbuf.buf_align = ELF_CORE_HEADER_ALIGN; > kbuf.mem = KEXEC_BUF_MEM_UNKNOWN; > ret = kexec_add_buffer(&kbuf); > - if (ret) { > - vfree((void *)image->elf_headers); > + if (ret) > return ret; > - } > image->elf_load_addr = kbuf.mem; > pr_debug("Loaded ELF headers at 0x%lx bufsz=0x%lx memsz=0x%lx\n", > image->elf_load_addr, kbuf.bufsz, kbuf.memsz); > -- > 2.35.3 >
On 11/22/22 12:51, Takashi Iwai wrote: > The recent fix for memory leaks forgot to clear the error path that > already does vfree() for the elf headers. This may result in a > double-free. > > Drop the superfluous vfree() call at the error path of > crash_load_segments(). > > Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") > Signed-off-by: Takashi Iwai <tiwai@suse.de> Acked-by: Vlastimil Babka <vbabka@suse.cz> > --- > arch/x86/kernel/crash.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c > index 9730c88530fc..305514431f26 100644 > --- a/arch/x86/kernel/crash.c > +++ b/arch/x86/kernel/crash.c > @@ -401,10 +401,8 @@ int crash_load_segments(struct kimage *image) > kbuf.buf_align = ELF_CORE_HEADER_ALIGN; > kbuf.mem = KEXEC_BUF_MEM_UNKNOWN; > ret = kexec_add_buffer(&kbuf); > - if (ret) { > - vfree((void *)image->elf_headers); > + if (ret) > return ret; > - } > image->elf_load_addr = kbuf.mem; > pr_debug("Loaded ELF headers at 0x%lx bufsz=0x%lx memsz=0x%lx\n", > image->elf_load_addr, kbuf.bufsz, kbuf.memsz);
diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c index 9730c88530fc..305514431f26 100644 --- a/arch/x86/kernel/crash.c +++ b/arch/x86/kernel/crash.c @@ -401,10 +401,8 @@ int crash_load_segments(struct kimage *image) kbuf.buf_align = ELF_CORE_HEADER_ALIGN; kbuf.mem = KEXEC_BUF_MEM_UNKNOWN; ret = kexec_add_buffer(&kbuf); - if (ret) { - vfree((void *)image->elf_headers); + if (ret) return ret; - } image->elf_load_addr = kbuf.mem; pr_debug("Loaded ELF headers at 0x%lx bufsz=0x%lx memsz=0x%lx\n", image->elf_load_addr, kbuf.bufsz, kbuf.memsz);