Brainy: Kernel Use-after-free & Memory Leak in hifn

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Brainy: Kernel Use-after-free & Memory Leak in hifn

Maxime Villard-2
Hi,
I put here two bugs among others:

------------------------ sys/dev/pci/hifn7751.c ------------------------

2757
        if (!(m0->m_flags & M_EXT))
                m_freem(m0);
        len = MCLBYTES;

        totlen -= len;
        m0->m_pkthdr.len = m0->m_len = len;
        mlast = m0;

------------------------------------------------------------------------

Use-after-free with 'm0'.

------------------------ sys/dev/pci/hifn7751.c ------------------------

2766
                MGET(m, M_DONTWAIT, MT_DATA);
                if (m == NULL) {
                        m_freem(m0);
                        return (NULL);
                }
                MCLGET(m, M_DONTWAIT);
                if (!(m->m_flags & M_EXT)) {
                        m_freem(m0);
                        return (NULL);
                }
                len = MCLBYTES;

------------------------------------------------------------------------

'm' is leaked.

Found by The Brainy Code Scanner.

Maxime

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: Kernel Use-after-free & Memory Leak in hifn

Mike Belopuhov-5
On Mon, May 11, 2015 at 22:11 +0200, Maxime Villard wrote:

> Hi,
> I put here two bugs among others:
>
> ------------------------ sys/dev/pci/hifn7751.c ------------------------
>
> 2757
> if (!(m0->m_flags & M_EXT))
> m_freem(m0);
> len = MCLBYTES;
>
> totlen -= len;
> m0->m_pkthdr.len = m0->m_len = len;
> mlast = m0;
>
> ------------------------------------------------------------------------
>
> Use-after-free with 'm0'.
>
> ------------------------ sys/dev/pci/hifn7751.c ------------------------
>
> 2766
> MGET(m, M_DONTWAIT, MT_DATA);
> if (m == NULL) {
> m_freem(m0);
> return (NULL);
> }
> MCLGET(m, M_DONTWAIT);
> if (!(m->m_flags & M_EXT)) {
> m_freem(m0);
> return (NULL);
> }
> len = MCLBYTES;
>
> ------------------------------------------------------------------------
>
> 'm' is leaked.
>
> Found by The Brainy Code Scanner.
>
> Maxime
>

Fixed in -current.  Thanks for reporting!

sam
Reply | Threaded
Open this post in threaded view
|

Re: Brainy: Kernel Use-after-free & Memory Leak in hifn

sam
In reply to this post by Maxime Villard-2
On Mon, 11 May 2015 22:11:10 +0200
Maxime Villard <[hidden email]> wrote:

> Hi,
> I put here two bugs among others:
>
> ------------------------ sys/dev/pci/hifn7751.c
> ------------------------
>
> 2757
> if (!(m0->m_flags & M_EXT))
> m_freem(m0);
> len = MCLBYTES;
>
> totlen -= len;
> m0->m_pkthdr.len = m0->m_len = len;
> mlast = m0;
>
> ------------------------------------------------------------------------
>
> Use-after-free with 'm0'.
>
> ------------------------ sys/dev/pci/hifn7751.c
> ------------------------
>
> 2766
> MGET(m, M_DONTWAIT, MT_DATA);
> if (m == NULL) {
> m_freem(m0);
> return (NULL);
> }
> MCLGET(m, M_DONTWAIT);
> if (!(m->m_flags & M_EXT)) {
> m_freem(m0);
> return (NULL);
> }
> len = MCLBYTES;
>
> ------------------------------------------------------------------------
>
> 'm' is leaked.
>
> Found by The Brainy Code Scanner.
>
> Maxime
>

If there are any other unresolved bugs your code scanner has found,
please do report them. It's better for everyone.

Is there any chance you would one day open source it, or tell us what
it is based on? :)

Thanks anyway!