Commit e7fd1549 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds

coredump: format_corename() can leak cn->corename

do_coredump() assumes that format_corename() can only fail if
expand_corename() fails and frees cn->corename.  This is not true, for
example cn_print_exe_file() can fail and in this case nobody frees
cn->corename.

Change do_coredump() to always do kfree(cn->corename) after it calls
format_corename() (NULL is fine), change expand_corename() to do nothing
if kmalloc() fails.
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Colin Walters <walters@verbum.org>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Lennart Poettering <mzxreary@0pointer.de>
Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 7f57cfa4
...@@ -58,16 +58,14 @@ static atomic_t call_count = ATOMIC_INIT(1); ...@@ -58,16 +58,14 @@ static atomic_t call_count = ATOMIC_INIT(1);
static int expand_corename(struct core_name *cn) static int expand_corename(struct core_name *cn)
{ {
char *old_corename = cn->corename; int size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
char *corename = krealloc(cn->corename, size, GFP_KERNEL);
cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count); if (!corename)
cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
if (!cn->corename) {
kfree(old_corename);
return -ENOMEM; return -ENOMEM;
}
cn->size = size;
cn->corename = corename;
return 0; return 0;
} }
...@@ -157,10 +155,9 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm) ...@@ -157,10 +155,9 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm)
int pid_in_pattern = 0; int pid_in_pattern = 0;
int err = 0; int err = 0;
cn->used = 0;
cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count); cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
cn->corename = kmalloc(cn->size, GFP_KERNEL); cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
if (!cn->corename) if (!cn->corename)
return -ENOMEM; return -ENOMEM;
...@@ -549,7 +546,7 @@ void do_coredump(siginfo_t *siginfo) ...@@ -549,7 +546,7 @@ void do_coredump(siginfo_t *siginfo)
if (ispipe < 0) { if (ispipe < 0) {
printk(KERN_WARNING "format_corename failed\n"); printk(KERN_WARNING "format_corename failed\n");
printk(KERN_WARNING "Aborting core\n"); printk(KERN_WARNING "Aborting core\n");
goto fail_corename; goto fail_unlock;
} }
if (cprm.limit == 1) { if (cprm.limit == 1) {
...@@ -669,7 +666,6 @@ void do_coredump(siginfo_t *siginfo) ...@@ -669,7 +666,6 @@ void do_coredump(siginfo_t *siginfo)
atomic_dec(&core_dump_count); atomic_dec(&core_dump_count);
fail_unlock: fail_unlock:
kfree(cn.corename); kfree(cn.corename);
fail_corename:
coredump_finish(mm, core_dumped); coredump_finish(mm, core_dumped);
revert_creds(old_cred); revert_creds(old_cred);
fail_creds: fail_creds:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment