[PATCH] security: commoncap: fix potential memleak on error path from vfs_getxattr_alloc
Christian Brauner
brauner at kernel.org
Tue Oct 25 13:04:59 UTC 2022
On Tue, Oct 25, 2022 at 06:45:44PM +0800, Gaosheng Cui wrote:
> In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to
> complete the memory allocation of tmpbuf, if we have completed
> the memory allocation of tmpbuf, but failed to call handler->get(...),
> there will be a memleak in below logic:
>
> |-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...) <-- alloc for tmpbuf
> |-- value = krealloc(*xattr_value, error + 1, flags) <-- alloc memory
> |-- error = handler->get(handler, ...) <-- if error
> |-- *xattr_value = value <-- xattr_value is &tmpbuf <-- memory leak
>
> So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.
Hey Gaosheng,
>
> Fixes: 71bc356f93a1 ("commoncap: handle idmapped mounts")
The Fixes: tag is wrong afaict. The control flow isn't changed in any
way by the referenced commit.
The logic changed the last time with
82e5d8cc768b ("security: commoncap: fix -Wstringop-overread warning")
but even that commit wouldn't have introduced the bug. It would've been
introduced by 8db6c34f1dbc ("Introduce v3 namespaced file
capabilities"). So update the Fixes: tag with that reference, please.
Otherwise I think you in principle have a point. Not sure if we have any
filesystem that in practice would fail after permission checks have
already passed with the first call to ->get() but then fail with the
correct size passed in the second ->get() invocation. Sounds super
unlikely but not impossible.
More information about the Linux-security-module-archive
mailing list