linux/net/sunrpc
David Ramos a1d1e9be5a svcrpc: fix memory leak in gssp_accept_sec_context_upcall
Our UC-KLEE tool found a kernel memory leak of 512 bytes (on x86_64) for
each call to gssp_accept_sec_context_upcall()
(net/sunrpc/auth_gss/gss_rpc_upcall.c). Since it appears that this call
can be triggered by remote connections (at least, from a cursory a
glance at the call chain), it may be exploitable to cause kernel memory
exhaustion. We found the bug in kernel 3.16.3, but it appears to date
back to commit 9dfd87da1a (2013-08-20).

The gssp_accept_sec_context_upcall() function performs a pair of calls
to gssp_alloc_receive_pages() and gssp_free_receive_pages().  The first
allocates memory for arg->pages.  The second then frees the pages
pointed to by the arg->pages array, but not the array itself.

Reported-by: David A. Ramos <daramos@stanford.edu>
Fixes: 9dfd87da1a ("rpc: fix huge kmalloc's in gss-proxy”)
Signed-off-by: David A. Ramos <daramos@stanford.edu>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2015-02-17 18:09:02 -05:00
..
auth_gss svcrpc: fix memory leak in gssp_accept_sec_context_upcall 2015-02-17 18:09:02 -05:00
xprtrdma svcrdma: Handle additional inline content 2015-01-15 15:01:49 -05:00
addr.c replace strict_strto calls 2014-07-12 18:45:49 -04:00
auth_generic.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
auth_null.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
auth_unix.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
auth.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
backchannel_rqst.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
bc_svc.c
cache.c sunrpc/cache: convert to use string_escape_str() 2014-12-09 11:30:20 -05:00
clnt.c sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
debugfs.c sunrpc: add a debugfs rpc_xprt directory with an info file in it 2014-11-27 13:14:52 -05:00
Kconfig sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
Makefile sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
netns.h Merge branch 'for-3.14' of git://linux-nfs.org/~bfields/linux 2014-01-30 10:18:43 -08:00
rpc_pipe.c rpc_pipe: Drop memory allocation cast 2014-07-12 18:43:44 -04:00
rpcb_clnt.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
sched.c sunrpc: eliminate RPC_TRACEPOINTS 2014-11-24 17:33:12 -05:00
socklib.c net: Save software checksum complete 2014-06-11 15:46:13 -07:00
stats.c SUNRPC: serialize iostats updates 2014-11-25 16:22:15 -05:00
sunrpc_syms.c sunrpc: add debugfs file for displaying client rpc_task queue 2014-11-27 13:14:51 -05:00
sunrpc.h SUNRPC: track whether a request is coming from a loop-back interface. 2014-05-22 15:59:18 -04:00
svc_xprt.c sunrpc/lockd: fix references to the BKL 2015-01-23 10:29:12 -05:00
svc.c sunrpc/lockd: fix references to the BKL 2015-01-23 10:29:12 -05:00
svcauth_unix.c svcrpc: fix failures to handle -1 uid's 2013-07-08 17:27:23 -04:00
svcauth.c nfsd4: better reservation of head space for krb5 2014-05-30 17:32:17 -04:00
svcsock.c sunrpc: move rq_local field to rq_flags 2014-12-09 11:21:21 -05:00
sysctl.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00
timer.c
xdr.c rpc: fix xdr_truncate_encode to handle buffer ending on page boundary 2015-01-07 14:03:58 -05:00
xprt.c sunrpc: add a debugfs rpc_xprt directory with an info file in it 2014-11-27 13:14:52 -05:00
xprtsock.c sunrpc: eliminate RPC_DEBUG 2014-11-24 17:31:46 -05:00