Commit ee0edc3e authored by David Ramos's avatar David Ramos Committed by Luis Henriques

svcrpc: fix memory leak in gssp_accept_sec_context_upcall

commit a1d1e9be upstream.

Our UC-KLEE tool found a kernel memory leak of 512 bytes (on x86_64) for
each call to gssp_accept_sec_context_upcall()
(net/sunrpc/auth_gss/gss_rpc_upcall.c). Since it appears that this call
can be triggered by remote connections (at least, from a cursory a
glance at the call chain), it may be exploitable to cause kernel memory
exhaustion. We found the bug in kernel 3.16.3, but it appears to date
back to commit 9dfd87da (2013-08-20).

The gssp_accept_sec_context_upcall() function performs a pair of calls
to gssp_alloc_receive_pages() and gssp_free_receive_pages().  The first
allocates memory for arg->pages.  The second then frees the pages
pointed to by the arg->pages array, but not the array itself.
Reported-by: default avatarDavid A. Ramos <daramos@stanford.edu>
Fixes: 9dfd87da ("rpc: fix huge kmalloc's in gss-proxy”)
Signed-off-by: default avatarDavid A. Ramos <daramos@stanford.edu>
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 4574bc36
...@@ -217,6 +217,8 @@ static void gssp_free_receive_pages(struct gssx_arg_accept_sec_context *arg) ...@@ -217,6 +217,8 @@ static void gssp_free_receive_pages(struct gssx_arg_accept_sec_context *arg)
for (i = 0; i < arg->npages && arg->pages[i]; i++) for (i = 0; i < arg->npages && arg->pages[i]; i++)
__free_page(arg->pages[i]); __free_page(arg->pages[i]);
kfree(arg->pages);
} }
static int gssp_alloc_receive_pages(struct gssx_arg_accept_sec_context *arg) static int gssp_alloc_receive_pages(struct gssx_arg_accept_sec_context *arg)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment