From: Kees Cook Date: Wed, 16 Apr 2014 17:54:34 +0000 (-0700) Subject: seccomp: fix memory leak on filter attach X-Git-Tag: firefly_0821_release~4090^2~271 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=c2da3eba6ac4b2df16d4aa13ce0f9bd360000baa;p=firefly-linux-kernel-4.4.55.git seccomp: fix memory leak on filter attach This sets the correct error code when final filter memory is unavailable, and frees the raw filter no matter what. unreferenced object 0xffff8800d6ea4000 (size 512): comm "sshd", pid 278, jiffies 4294898315 (age 46.653s) hex dump (first 32 bytes): 21 00 00 00 04 00 00 00 15 00 01 00 3e 00 00 c0 !...........>... 06 00 00 00 00 00 00 00 21 00 00 00 00 00 00 00 ........!....... backtrace: [] kmemleak_alloc+0x4e/0xb0 [] __kmalloc+0x280/0x320 [] prctl_set_seccomp+0x11e/0x3b0 [] SyS_prctl+0x3bb/0x4a0 [] system_call_fastpath+0x1a/0x1f [] 0xffffffffffffffff Reported-by: Masami Ichikawa Signed-off-by: Kees Cook Tested-by: Masami Ichikawa Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Conflicts: kernel/seccomp.c Change-Id: Ide3c27bf378397f8faf4218e75c31e4b8bc43c4c --- diff --git a/kernel/seccomp.c b/kernel/seccomp.c index b7a10048a32c..260ff1fce63d 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -273,7 +273,23 @@ static long seccomp_attach_filter(struct sock_fprog *fprog) /* Check and rewrite the fprog for seccomp use */ ret = seccomp_check_filter(filter->insns, filter->len); if (ret) - goto fail; + goto free_prog; + + /* Allocate a new seccomp_filter */ + ret = -ENOMEM; + filter = kzalloc(sizeof(struct seccomp_filter) + + sizeof(struct sock_filter_int) * new_len, + GFP_KERNEL|__GFP_NOWARN); + if (!filter) + goto free_prog; + + ret = sk_convert_filter(fp, fprog->len, filter->insnsi, &new_len); + if (ret) + goto free_filter; + kfree(fp); + + atomic_set(&filter->usage, 1); + filter->len = new_len; /* * If there is an existing filter, make it the prev and don't drop its