lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

netfilter: fix double-free and use-after free

Browse Source 
As suggested by Patrick McHardy, introduce a __krealloc() that doesn't
free the original buffer to fix a double-free and use-after-free bug
introduced by me in netfilter that uses RCU.

Reported-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Tested-by: Dieter Ries <clip2@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Pekka Enberg
2008-07-26 17:49:33 -07:00
committed by David S. Miller
parent 3918fed5f3
commit 93bc4e89c2
3 changed files with 37 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/linux/slab.h
View File

@@ -96,6 +96,7 @@ int kmem_ptr_validate(struct kmem_cache *cachep, const void *ptr);
/* /*
* Common kmalloc functions provided by all allocators * Common kmalloc functions provided by all allocators
*/ */
void * __must_check __krealloc(const void *, size_t, gfp_t);
void * __must_check krealloc(const void *, size_t, gfp_t); void * __must_check krealloc(const void *, size_t, gfp_t);
void kfree(const void *); void kfree(const void *);
size_t ksize(const void *); size_t ksize(const void *);

46
mm/util.c
View File

@@ -67,6 +67,38 @@ void *kmemdup(const void *src, size_t len, gfp_t gfp)
} }
EXPORT_SYMBOL(kmemdup); EXPORT_SYMBOL(kmemdup);
/**
* __krealloc - like krealloc() but don't free @p.
* @p: object to reallocate memory for.
* @new_size: how many bytes of memory are required.
* @flags: the type of memory to allocate.
*
* This function is like krealloc() except it never frees the originally
* allocated buffer. Use this if you don't want to free the buffer immediately
* like, for example, with RCU.
*/
void *__krealloc(const void *p, size_t new_size, gfp_t flags)
{
void *ret;
size_t ks = 0;
if (unlikely(!new_size))
return ZERO_SIZE_PTR;
if (p)
ks = ksize(p);
if (ks >= new_size)
return (void *)p;
ret = kmalloc_track_caller(new_size, flags);
if (ret && p)
memcpy(ret, p, ks);
return ret;
}
EXPORT_SYMBOL(__krealloc);
/** /**
* krealloc - reallocate memory. The contents will remain unchanged. * krealloc - reallocate memory. The contents will remain unchanged.
* @p: object to reallocate memory for. * @p: object to reallocate memory for.
@@ -81,24 +113,16 @@ EXPORT_SYMBOL(kmemdup);
void *krealloc(const void *p, size_t new_size, gfp_t flags) void *krealloc(const void *p, size_t new_size, gfp_t flags)
{ {
void *ret; void *ret;
size_t ks = 0;
if (unlikely(!new_size)) { if (unlikely(!new_size)) {
kfree(p); kfree(p);
return ZERO_SIZE_PTR; return ZERO_SIZE_PTR;
} }
if (p) ret = __krealloc(p, new_size, flags);
ks = ksize(p); if (ret && p != ret)
if (ks >= new_size)
return (void *)p;
ret = kmalloc_track_caller(new_size, flags);
if (ret && p) {
memcpy(ret, p, ks);
kfree(p); kfree(p);
}
return ret; return ret;
} }
EXPORT_SYMBOL(krealloc); EXPORT_SYMBOL(krealloc);

2
net/netfilter/nf_conntrack_extend.c
View File

@@ -95,7 +95,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
newlen = newoff + t->len; newlen = newoff + t->len;
rcu_read_unlock(); rcu_read_unlock();
new = krealloc(ct->ext, newlen, gfp); new = __krealloc(ct->ext, newlen, gfp);
if (!new) if (!new)
return NULL; return NULL;