Re: [PATCH v2] net: caif: fix memory leak in ldisc_receive

[Jiri Slaby]

On 18. 01. 26, 18:44, Osama Abdelkader wrote:
> Add NULL pointer checks for ser and ser->dev in ldisc_receive() to
> prevent memory leaks when the function is called during device close
> or in race conditions where tty->disc_data or ser->dev may be NULL.
>
> The memory leak occurred because ser->dev was accessed before checking
> if ser or ser->dev was NULL, which could cause a NULL pointer
> dereference or use of freed memory. Additionally, set tty->disc_data
> to NULL in ldisc_close() to prevent receive_buf() from using a freed
> ser pointer after the line discipline is closed.
>
> Reported-by: syzbot+f9d847b2b84164fa69f3@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=f9d847b2b84164fa69f3
> Fixes: 9b27105b4a44 ("net-caif-driver: add CAIF serial driver (ldisc)")
> CC: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Osama Abdelkader <osama.abdelkader@xxxxxxxxx>
> ---
> v2:
> 1.Combine NULL pointer checks for ser and ser->dev in ldisc_receive()
> 2.Set tty->disc_data = NULL in ldisc_close() to prevent receive_buf()
> from using a freed ser pointer after close.
> 3.Add NULL pointer check for ser in ldisc_close()
> ---
>   drivers/net/caif/caif_serial.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
> index c398ac42eae9..970237a3ccca 100644
> --- a/drivers/net/caif/caif_serial.c
> +++ b/drivers/net/caif/caif_serial.c
> @@ -152,6 +152,8 @@ static void ldisc_receive(struct tty_struct *tty, const u8 *data,
>   	int ret;
>   
>   	ser = tty->disc_data;
> +	if (!ser || !ser->dev)
> +		return;
>   
>   	/*
>   	 * NOTE: flags may contain information about break or overrun.
> @@ -170,8 +172,6 @@ static void ldisc_receive(struct tty_struct *tty, const u8 *data,
>   		return;
>   	}
>   
> -	BUG_ON(ser->dev == NULL);
> -
>   	/* Get a suitable caif packet and copy in data. */
>   	skb = netdev_alloc_skb(ser->dev, count+1);

Wait, the reported error is memory leak of mem allocated here. So both 
ser and ser->dev appear to be valid?

So instead, does netif_rx() return an error few lines below for some 
reason? So should skb just be freed in that path?

        if (skb == NULL)
                return;
        skb_put_data(skb, data, count);

        skb->protocol = htons(ETH_P_CAIF);
        skb_reset_mac_header(skb);
        debugfs_rx(ser, data, count);
        /* Push received packet up the stack. */
        ret = netif_rx(skb);
        if (!ret) {
                ser->dev->stats.rx_packets++;
                ser->dev->stats.rx_bytes += count;
        } else
                ++ser->dev->stats.rx_dropped;

Not calling skb_free() in this else path _is_ a BUG™ in any case IMO.

thanks,
--
js
suse labs