[PATCH openEuler-1.0-LTS] net: rds: fix memory leak in rds_recvmsg - Kernel

13 Jun 2024

From: Pavel Skripkin paskripkin@gmail.com
stable inclusion
from stable-v5.10.46
commit 5946fbf48355f5a8caeff72580c7658da5966b86
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4HY
CVE: CVE-2021-47249
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ]
Syzbot reported memory leak in rds. The problem
was in unputted refcount in case of error.
int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
    	int msg_flags)
{
...
if (!rds_next_incoming(rs, &inc)) {
    	...
    }
After this "if" inc refcount incremented and
if (rds_cmsg_recv(inc, msg, rs)) {
    	ret = -EFAULT;
    	goto out;
    }
...
out:
    return ret;
}
in case of rds_cmsg_recv() fail the refcount won't be
decremented. And it's easy to see from ftrace log, that
rds_inc_addref() don't have rds_inc_put() pair in
rds_recvmsg() after rds_cmsg_recv()
1)               |  rds_recvmsg() {
 1)   3.721 us    |    rds_inc_addref();
 1)   3.853 us    |    rds_message_inc_copy_to_user();
 1) + 10.395 us   |    rds_cmsg_recv();
 1) + 34.260 us   |  }
Fixes: bdbe6fbc6a2f ("RDS: recv.c")
Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin paskripkin@gmail.com
Reviewed-by: Håkon Bugge haakon.bugge@oracle.com
Acked-by: Santosh Shilimkar santosh.shilimkar@oracle.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Chen Jun chenjun102@huawei.com
Acked-by: Weilong Chen chenweilong@huawei.com
Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com
Signed-off-by: Zheng Zucheng zhengzucheng@huawei.com
---
 net/rds/recv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/rds/recv.c b/net/rds/recv.c
index 3ca278988b52..ccf0bf283002 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -705,7 +705,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
if (rds_cmsg_recv(inc, msg, rs)) {
    		ret = -EFAULT;
-			goto out;
+			break;
    	}
    	rds_recvmsg_zcookie(rs, msg);
-- 
2.34.1


    