NetBSD Problem Report #51554

From www@NetBSD.org  Wed Oct 12 15:39:45 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 211117A28E
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 12 Oct 2016 15:39:45 +0000 (UTC)
Message-Id: <20161012153943.B4DFD7A2AE@mollari.NetBSD.org>
Date: Wed, 12 Oct 2016 15:39:43 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: Avoid unsafe allocation in ldc/vdsk
X-Send-Pr-Version: www-1.0

>Number:         51554
>Category:       port-sparc64
>Synopsis:       Avoid unsafe allocation in ldc/vdsk
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    palle
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 12 15:40:00 +0000 2016
>Closed-Date:    Tue Mar 07 04:50:49 +0000 2017
>Last-Modified:  Tue Mar 07 04:50:49 +0000 2017
>Originator:     coypu
>Release:        NetBSD 7.99.39
>Organization:
>Environment:
no sparc hardware here!
>Description:
In vdsk.c and ldc.c are some memory allocation issues.
If memory is allocation kmem_zalloc is called with KM_NOSLEEP, but failure
is not checked. If it was checked and NULL returns, it will leak memory
upon failure, so create a label for freeing previously allocated memory.

I've mentioned the memory leak to OpenBSD, but unsure if loudly enough.

sidenote: unsure whether kmem_zalloc is needed as opposed to kmem_alloc,
because I don't think OpenBSD zeroes here, but perhaps their malloc is that weird.
>How-To-Repeat:

>Fix:
Something like this may do (not even compile tested, slow machine, sorry)

Index: ldc.c
===================================================================
RCS file: /cvsroot/src/sys/arch/sparc64/dev/ldc.c,v
retrieving revision 1.2
diff -u -r1.2 ldc.c
--- ldc.c	20 Aug 2016 18:21:18 -0000	1.2
+++ ldc.c	12 Oct 2016 15:28:31 -0000
@@ -553,7 +553,8 @@
 	    BUS_DMA_NOWAIT) != 0)
 		goto unmap;
 #else
-	 va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP);
+	if ((va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP)) == NULL)
+		goto free;
 #endif
 	lq->lq_va = (vaddr_t)va;
 	lq->lq_nentries = nentries;
@@ -566,6 +567,8 @@
 destroy:
 	bus_dmamap_destroy(t, lq->lq_map);
 #endif
+free:
+	kmem_free(lq, sizeof(struct ldc_queue));
 	return (NULL);
 }

@@ -636,7 +639,8 @@
 		goto unmap;
 	}
 #else
-	va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP);
+	if ((va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP)) == NULL)
+		goto free;
 #endif
 	lm->lm_slot = (struct ldc_map_slot *)va;
 	lm->lm_nentries = nentries;
@@ -651,6 +655,8 @@
 destroy:
 	bus_dmamap_destroy(t, lm->lm_map);
 #endif
+free:
+	kmem_free(lm, sizeof(struct ldc_map));
 	return (NULL);
 }

Index: vdsk.c
===================================================================
RCS file: /cvsroot/src/sys/arch/sparc64/dev/vdsk.c,v
retrieving revision 1.2
diff -u -r1.2 vdsk.c
--- vdsk.c	20 Aug 2016 18:21:18 -0000	1.2
+++ vdsk.c	12 Oct 2016 15:28:32 -0000
@@ -968,7 +968,8 @@
 	    BUS_DMA_NOWAIT) != 0)
 		goto unmap;
 #else
-	va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP);
+	if ((va = (vaddr_t)kmem_zalloc(size, KM_NOSLEEP)) == NULL)
+		goto free;
 #endif
 	vd->vd_desc = (struct vd_desc *)va;
 	vd->vd_nentries = nentries;
@@ -985,6 +986,8 @@
 destroy:
 	bus_dmamap_destroy(t, vd->vd_map);
 #endif
+free:
+	kmem_free(vd, sizeof(struct vdsk_dring));
 	return (NULL);
 }


>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sun, 26 Feb 2017 16:06:55 +0000
State-Changed-Why:


Responsible-Changed-From-To: port-sparc64-maintainer->palle
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 26 Feb 2017 21:16:59 +0000
Responsible-Changed-Why:
Could you please review and deal?


State-Changed-From-To: closed->open
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sun, 26 Feb 2017 21:16:59 +0000
State-Changed-Why:
Needs review and test


From: "Palle Lyckegaard" <palle@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/51554 CVS commit: src/sys/arch/sparc64/dev
Date: Fri, 3 Mar 2017 21:09:25 +0000

 Module Name:	src
 Committed By:	palle
 Date:		Fri Mar  3 21:09:25 UTC 2017

 Modified Files:
 	src/sys/arch/sparc64/dev: ldc.c vdsk.c

 Log Message:
 sun4v: Fixed PR 51554 - Avoid unsafe allocation in ldc/vdsk


 To generate a diff of this commit:
 cvs rdiff -u -r1.2 -r1.3 src/sys/arch/sparc64/dev/ldc.c \
     src/sys/arch/sparc64/dev/vdsk.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: palle@NetBSD.org
State-Changed-When: Tue, 07 Mar 2017 04:50:49 +0000
State-Changed-Why:
Fixed issue


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.