diff options
author | David Howells <dhowells@redhat.com> | 2010-04-20 22:41:18 +0100 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-04-21 09:20:35 +1000 |
commit | eff30363c0b8b057f773108589bfd8881659fe74 (patch) | |
tree | 6ae631c2fa01174a24da347b68fc25f0c350bc2b | |
parent | 05ce7bfe547c9fa967d9cab6c37867a9cb6fb3fa (diff) | |
download | op-kernel-dev-eff30363c0b8b057f773108589bfd8881659fe74.zip op-kernel-dev-eff30363c0b8b057f773108589bfd8881659fe74.tar.gz |
CRED: Fix double free in prepare_usermodehelper_creds() error handling
Patch 570b8fb505896e007fd3bb07573ba6640e51851d:
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue Mar 30 00:04:00 2010 +0100
Subject: CRED: Fix memory leak in error handling
attempts to fix a memory leak in the error handling by making the offending
return statement into a jump down to the bottom of the function where a
kfree(tgcred) is inserted.
This is, however, incorrect, as it does a kfree() after doing put_cred() if
security_prepare_creds() fails. That will result in a double free if 'error'
is jumped to as put_cred() will also attempt to free the new tgcred record by
virtue of it being pointed to by the new cred record.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | kernel/cred.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/cred.c b/kernel/cred.c index e1dbe9e..ce1a52b 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void) error: put_cred(new); + return NULL; + free_tgcred: #ifdef CONFIG_KEYS kfree(tgcred); |