coredump: format_corename() can leak cn->corename

do_coredump() assumes that format_corename() can only fail if
expand_corename() fails and frees cn->corename.  This is not true, for
example cn_print_exe_file() can fail and in this case nobody frees
cn->corename.

Change do_coredump() to always do kfree(cn->corename) after it calls
format_corename() (NULL is fine), change expand_corename() to do nothing
if kmalloc() fails.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Colin Walters <walters@verbum.org>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Lennart Poettering <mzxreary@0pointer.de>
Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Oleg Nesterov 2013-07-03 15:08:16 -07:00 committed by Linus Torvalds
parent 7f57cfa4e2
commit e7fd1549ae

View file

@ -58,16 +58,14 @@ static atomic_t call_count = ATOMIC_INIT(1);
static int expand_corename(struct core_name *cn)
{
char *old_corename = cn->corename;
int size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
char *corename = krealloc(cn->corename, size, GFP_KERNEL);
cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
if (!cn->corename) {
kfree(old_corename);
if (!corename)
return -ENOMEM;
}
cn->size = size;
cn->corename = corename;
return 0;
}
@ -157,10 +155,9 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm)
int pid_in_pattern = 0;
int err = 0;
cn->used = 0;
cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
cn->corename = kmalloc(cn->size, GFP_KERNEL);
cn->used = 0;
if (!cn->corename)
return -ENOMEM;
@ -549,7 +546,7 @@ void do_coredump(siginfo_t *siginfo)
if (ispipe < 0) {
printk(KERN_WARNING "format_corename failed\n");
printk(KERN_WARNING "Aborting core\n");
goto fail_corename;
goto fail_unlock;
}
if (cprm.limit == 1) {
@ -669,7 +666,6 @@ void do_coredump(siginfo_t *siginfo)
atomic_dec(&core_dump_count);
fail_unlock:
kfree(cn.corename);
fail_corename:
coredump_finish(mm, core_dumped);
revert_creds(old_cred);
fail_creds: