From: Ben Hutchings ben@decadent.org.uk
mainline inclusion from mainline-v5.3-rc1 commit 15b3cd8ef46ad1b100e0d3c7e38774f330726820 category: bugfix bugzilla: 34617 CVE: CVE-2019-12379
---------------------------
This reverts commit 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac.
con_insert_unipair() is working with a sparse 3-dimensional array:
- p->uni_pgdir[] is the top layer - p1 points to a middle layer - p2 points to a bottom layer
If it needs to allocate a new middle layer, and then fails to allocate a new bottom layer, it would previously free only p2, and now it frees both p1 and p2. But since the new middle layer was already registered in the top layer, it was not leaked.
However, if it looks up an *existing* middle layer and then fails to allocate a bottom layer, it now frees both p1 and p2 but does *not* free any other bottom layers under p1. So it *introduces* a memory leak.
The error path also cleared the wrong index in p->uni_pgdir[], introducing a use-after-free.
Signed-off-by: Ben Hutchings ben@decadent.org.uk Fixes: 84ecc2f6eb1c ("consolemap: Fix a memory leaking bug in drivers/tty/vt/consolemap.c") Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Zheng Bin zhengbin13@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/tty/vt/consolemap.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c index 814d1b7..7c7ada0 100644 --- a/drivers/tty/vt/consolemap.c +++ b/drivers/tty/vt/consolemap.c @@ -489,11 +489,7 @@ static int con_unify_unimap(struct vc_data *conp, struct uni_pagedir *p) p2 = p1[n = (unicode >> 6) & 0x1f]; if (!p2) { p2 = p1[n] = kmalloc_array(64, sizeof(u16), GFP_KERNEL); - if (!p2) { - kfree(p1); - p->uni_pgdir[n] = NULL; - return -ENOMEM; - } + if (!p2) return -ENOMEM; memset(p2, 0xff, 64*sizeof(u16)); /* No glyphs for the characters (yet) */ }