CVE-2014-2851: current group_info should be put after using.

Subject

[PATCH] net: ipv4: current group_info should be put after using.

From

Date

Fri, 11 Apr 2014 13:37:08 -0400

There is a memory leak in ping. Current group_info had been got in
ping_init_sock and group_info->usage increased.
But the usage hasn’t decreased anywhere in ping.
This will make this group_info never freed and cause memory leak.

unreferenced object 0xcd0e8840 (size 192):
comm "dumpstate", pid 7583, jiffies 78360 (age 91.810s)
hex dump (first 32 bytes):
02 00 00 00 06 00 00 00 01 00 00 00 ef 03 00 00 …
f1 03 00 00 f7 03 00 00 04 04 00 00 bb 0b 00 00 …
backtrace:
[<c1a6bbfc>] kmemleak_alloc+0x3c/0xa0
[<c1320457>] __kmalloc+0xe7/0x1d0
[<c1267c04>] groups_alloc+0x34/0xb0
[<c1267e5c>] SyS_setgroups+0x3c/0xf0
[<c1a864a8>] syscall_call+0x7/0xb
[<ffffffff>] 0xffffffff

Signed-off-by: Chuansheng Liu [email protected]
Signed-off-by: Zhang Dongxing [email protected]
Signed-off-by: xiaoming wang [email protected]
—
net/ipv4/ping.c | 11 +++++++±–
1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index f4b19e5…2af7b1f 100644
— a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -255,23 +255,28 @@ int ping_init_sock(struct sock *sk)
struct group_info *group_info = get_current_groups();
int i, j, count = group_info->ngroups;
kgid_t low, high;

• int ret = 0;

  inet_get_ping_group_range_net(net, &low, &high);
  if (gid_lte(low, group) && gid_lte(group, high))
  - return 0;

•   goto out\_release\_group;
  

  for (i = 0; i < group_info->nblocks; i++) {
  int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
  for (j = 0; j < cp_count; j++) {
  kgid_t gid = group_info->blocks[i][j];
  if (gid_lte(low, gid) && gid_lte(gid, high))
  - return 0;

•           goto out\_release\_group;  
    }
  
    count -= cp\_count;  
  

  }

• return -EACCES;

• ret = -EACCES;

+out_release_group:

• put_group_info(group_info);
• return ret;
  }
  EXPORT_SYMBOL_GPL(ping_init_sock);

–
1.7.1