mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-10-31 16:54:21 +00:00
coredump: format_corename() can leak cn->corename
do_coredump() assumes that format_corename() can only fail if expand_corename() fails and frees cn->corename. This is not true, for example cn_print_exe_file() can fail and in this case nobody frees cn->corename. Change do_coredump() to always do kfree(cn->corename) after it calls format_corename() (NULL is fine), change expand_corename() to do nothing if kmalloc() fails. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: Andi Kleen <andi@firstfloor.org> Cc: Colin Walters <walters@verbum.org> Cc: Denys Vlasenko <vda.linux@googlemail.com> Cc: Jiri Slaby <jslaby@suse.cz> Cc: Lennart Poettering <mzxreary@0pointer.de> Cc: Lucas De Marchi <lucas.de.marchi@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Oleg Nesterov
Linus Torvalds
parent
7f57cfa4e2
commit
e7fd1549ae
1 changed files with 7 additions and 11 deletions
|
|
@ -58,16 +58,14 @@ static atomic_t call_count = ATOMIC_INIT(1);
|
|||
|
||||
static int expand_corename(struct core_name *cn)
|
||||
{
|
||||
char *old_corename = cn->corename;
|
||||
int size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
|
||||
char *corename = krealloc(cn->corename, size, GFP_KERNEL);
|
||||
|
||||
cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
|
||||
cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
|
||||
|
||||
if (!cn->corename) {
|
||||
kfree(old_corename);
|
||||
if (!corename)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
cn->size = size;
|
||||
cn->corename = corename;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -157,10 +155,9 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm)
|
|||
int pid_in_pattern = 0;
|
||||
int err = 0;
|
||||
|
||||
cn->used = 0;
|
||||
cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
|
||||
cn->corename = kmalloc(cn->size, GFP_KERNEL);
|
||||
cn->used = 0;
|
||||
|
||||
if (!cn->corename)
|
||||
return -ENOMEM;
|
||||
|
||||
|
|
@ -549,7 +546,7 @@ void do_coredump(siginfo_t *siginfo)
|
|||
if (ispipe < 0) {
|
||||
printk(KERN_WARNING "format_corename failed\n");
|
||||
printk(KERN_WARNING "Aborting core\n");
|
||||
goto fail_corename;
|
||||
goto fail_unlock;
|
||||
}
|
||||
|
||||
if (cprm.limit == 1) {
|
||||
|
|
@ -669,7 +666,6 @@ fail_dropcount:
|
|||
atomic_dec(&core_dump_count);
|
||||
fail_unlock:
|
||||
kfree(cn.corename);
|
||||
fail_corename:
|
||||
coredump_finish(mm, core_dumped);
|
||||
revert_creds(old_cred);
|
||||
fail_creds:
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue