staging: p9auth: prevent some oopses and memory leaks
Before all testcases, do: mknod /dev/caphash c 253 0 mknod /dev/capuse c 253 1 This patch does the following: 1. caphash write of > CAP_NODE_SIZE bytes overruns node_ptr->data (test: cat /etc/mime.types > /dev/caphash) 2. make sure we don't dereference a NULL cap_devices[0].head (test: cat serge@root@abab > /dev/capuse) 3. don't let strlen dereference a NULL target_user etc (test: echo ab > /dev/capuse) 4. Don't leak a bunch of memory in cap_write(). Note that technically node_ptr is not needed for the capuse write case. As a result I have a much more extensive patch splitting up cap_write(), but I thought a smaller patch that is easier to test and verify would be a better start. To test: cnt=0 while [ 1 ]; do echo /etc/mime.types > /dev/capuse if [ $((cnt%25)) -eq 0 ]; then head -2 /proc/meminfo fi cnt=$((cnt+1)) sleep 0.3 done Without this patch, it MemFree steadily drops. With the patch, it does not. I have *not* tested this driver (with or without these patches) with factotum or anything - only using the tests described above. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
parent
0f51010e87
commit
f82ebea5c8
1 changed files with 23 additions and 1 deletions
|
@ -180,8 +180,12 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
|
||||||
if (down_interruptible(&dev->sem))
|
if (down_interruptible(&dev->sem))
|
||||||
return -ERESTARTSYS;
|
return -ERESTARTSYS;
|
||||||
|
|
||||||
|
user_buf_running = NULL;
|
||||||
|
hash_str = NULL;
|
||||||
node_ptr = kmalloc(sizeof(struct cap_node), GFP_KERNEL);
|
node_ptr = kmalloc(sizeof(struct cap_node), GFP_KERNEL);
|
||||||
user_buf = kzalloc(count, GFP_KERNEL);
|
user_buf = kzalloc(count, GFP_KERNEL);
|
||||||
|
if (!node_ptr || !user_buf)
|
||||||
|
goto out;
|
||||||
|
|
||||||
if (copy_from_user(user_buf, buf, count)) {
|
if (copy_from_user(user_buf, buf, count)) {
|
||||||
retval = -EFAULT;
|
retval = -EFAULT;
|
||||||
|
@ -193,11 +197,21 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
|
||||||
* hashed capability supplied by the user to the list of hashes
|
* hashed capability supplied by the user to the list of hashes
|
||||||
*/
|
*/
|
||||||
if (0 == iminor(filp->f_dentry->d_inode)) {
|
if (0 == iminor(filp->f_dentry->d_inode)) {
|
||||||
|
if (count > CAP_NODE_SIZE) {
|
||||||
|
retval = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
printk(KERN_INFO "Capability being written to /dev/caphash : \n");
|
printk(KERN_INFO "Capability being written to /dev/caphash : \n");
|
||||||
hexdump(user_buf, count);
|
hexdump(user_buf, count);
|
||||||
memcpy(node_ptr->data, user_buf, count);
|
memcpy(node_ptr->data, user_buf, count);
|
||||||
list_add(&(node_ptr->list), &(dev->head->list));
|
list_add(&(node_ptr->list), &(dev->head->list));
|
||||||
|
node_ptr = NULL;
|
||||||
} else {
|
} else {
|
||||||
|
if (!cap_devices[0].head ||
|
||||||
|
list_empty(&(cap_devices[0].head->list))) {
|
||||||
|
retval = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
/*
|
/*
|
||||||
* break the supplied string into tokens with @ as the
|
* break the supplied string into tokens with @ as the
|
||||||
* delimiter If the string is "user1@user2@randomstring" we
|
* delimiter If the string is "user1@user2@randomstring" we
|
||||||
|
@ -208,6 +222,10 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
|
||||||
source_user = strsep(&user_buf_running, "@");
|
source_user = strsep(&user_buf_running, "@");
|
||||||
target_user = strsep(&user_buf_running, "@");
|
target_user = strsep(&user_buf_running, "@");
|
||||||
rand_str = strsep(&user_buf_running, "@");
|
rand_str = strsep(&user_buf_running, "@");
|
||||||
|
if (!source_user || !target_user || !rand_str) {
|
||||||
|
retval = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
/* hash the string user1@user2 with rand_str as the key */
|
/* hash the string user1@user2 with rand_str as the key */
|
||||||
len = strlen(source_user) + strlen(target_user) + 1;
|
len = strlen(source_user) + strlen(target_user) + 1;
|
||||||
|
@ -224,7 +242,7 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
|
||||||
retval = -EFAULT;
|
retval = -EFAULT;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
memcpy(node_ptr->data, result, CAP_NODE_SIZE);
|
memcpy(node_ptr->data, result, CAP_NODE_SIZE); /* why? */
|
||||||
/* Change the process's uid if the hash is present in the
|
/* Change the process's uid if the hash is present in the
|
||||||
* list of hashes
|
* list of hashes
|
||||||
*/
|
*/
|
||||||
|
@ -299,6 +317,10 @@ static ssize_t cap_write(struct file *filp, const char __user *buf,
|
||||||
dev->size = *f_pos;
|
dev->size = *f_pos;
|
||||||
|
|
||||||
out:
|
out:
|
||||||
|
kfree(node_ptr);
|
||||||
|
kfree(user_buf);
|
||||||
|
kfree(user_buf_running);
|
||||||
|
kfree(hash_str);
|
||||||
up(&dev->sem);
|
up(&dev->sem);
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue