Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f82ebea5 authored by Serge E. Hallyn's avatar Serge E. Hallyn Committed by Greg Kroah-Hartman
Browse files

staging: p9auth: prevent some oopses and memory leaks 



Before all testcases, do:
	mknod /dev/caphash c 253 0
	mknod /dev/capuse c 253 1

This patch does the following:

1. caphash write of > CAP_NODE_SIZE bytes overruns node_ptr->data
	(test: cat /etc/mime.types > /dev/caphash)
2. make sure we don't dereference a NULL cap_devices[0].head
	(test: cat serge@root@abab > /dev/capuse)
3. don't let strlen dereference a NULL target_user etc
	(test: echo ab > /dev/capuse)
4. Don't leak a bunch of memory in cap_write().  Note that
   technically node_ptr is not needed for the capuse write case.
   As a result I have a much more extensive patch splitting up
   cap_write(), but I thought a smaller patch that is easier to test
   and verify would be a better start.  To test:
	cnt=0
	while [ 1 ]; do
		echo /etc/mime.types > /dev/capuse
		if [ $((cnt%25)) -eq 0 ]; then
			head -2 /proc/meminfo
		fi
		cnt=$((cnt+1))
		sleep 0.3
	done
   Without this patch, it MemFree steadily drops.  With the patch,
   it does not.

I have *not* tested this driver (with or without these patches)
with factotum or anything - only using the tests described above.

Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 0f51010e

drivers/staging/p9auth/p9auth.c

+23 −1
Original line number Diff line number Diff line
@@ -180,8 +180,12 @@ static ssize_t cap_write(struct file *filp, const char __user *buf, 
	if (down_interruptible(&dev->sem))

		return -ERESTARTSYS;



	user_buf_running = NULL;

	hash_str = NULL;

	node_ptr = kmalloc(sizeof(struct cap_node), GFP_KERNEL);

	user_buf = kzalloc(count, GFP_KERNEL);

	if (!node_ptr || !user_buf)

		goto out;



	if (copy_from_user(user_buf, buf, count)) {

		retval = -EFAULT;
@@ -193,11 +197,21 @@ static ssize_t cap_write(struct file *filp, const char __user *buf, 
	 * hashed capability supplied by the user to the list of hashes

	 */

	if (0 == iminor(filp->f_dentry->d_inode)) {

		if (count > CAP_NODE_SIZE) {

			retval = -EINVAL;

			goto out;

		}

		printk(KERN_INFO "Capability being written to /dev/caphash : \n");

		hexdump(user_buf, count);

		memcpy(node_ptr->data, user_buf, count);

		list_add(&(node_ptr->list), &(dev->head->list));

		node_ptr = NULL;

	} else {

		if (!cap_devices[0].head ||

				list_empty(&(cap_devices[0].head->list))) {

			retval = -EINVAL;

			goto out;

		}

		/*

		 * break the supplied string into tokens with @ as the

		 * delimiter If the string is "user1@user2@randomstring" we
@@ -208,6 +222,10 @@ static ssize_t cap_write(struct file *filp, const char __user *buf, 
		source_user = strsep(&user_buf_running, "@");

		target_user = strsep(&user_buf_running, "@");

		rand_str = strsep(&user_buf_running, "@");

		if (!source_user || !target_user || !rand_str) {

			retval = -EINVAL;

			goto out;

		}



		/* hash the string user1@user2 with rand_str as the key */

		len = strlen(source_user) + strlen(target_user) + 1;
@@ -224,7 +242,7 @@ static ssize_t cap_write(struct file *filp, const char __user *buf, 
			retval = -EFAULT;

			goto out;

		}

		memcpy(node_ptr->data, result, CAP_NODE_SIZE);

		memcpy(node_ptr->data, result, CAP_NODE_SIZE);  /* why? */

		/* Change the process's uid if the hash is present in the

		 * list of hashes

		 */
@@ -299,6 +317,10 @@ static ssize_t cap_write(struct file *filp, const char __user *buf, 
		dev->size = *f_pos;



out:

	kfree(node_ptr);

	kfree(user_buf);

	kfree(user_buf_running);

	kfree(hash_str);

	up(&dev->sem);

	return retval;

}