linux

iv/linux

History

David Ramos a1d1e9be5a svcrpc: fix memory leak in gssp_accept_sec_context_upcall Our UC-KLEE tool found a kernel memory leak of 512 bytes (on x86_64) for each call to gssp_accept_sec_context_upcall() (net/sunrpc/auth_gss/gss_rpc_upcall.c). Since it appears that this call can be triggered by remote connections (at least, from a cursory a glance at the call chain), it may be exploitable to cause kernel memory exhaustion. We found the bug in kernel 3.16.3, but it appears to date back to commit `9dfd87da1a` (2013-08-20). The gssp_accept_sec_context_upcall() function performs a pair of calls to gssp_alloc_receive_pages() and gssp_free_receive_pages(). The first allocates memory for arg->pages. The second then frees the pages pointed to by the arg->pages array, but not the array itself. Reported-by: David A. Ramos <daramos@stanford.edu> Fixes: `9dfd87da1a` ("rpc: fix huge kmalloc's in gss-proxy”) Signed-off-by: David A. Ramos <daramos@stanford.edu> Signed-off-by: J. Bruce Fields <bfields@redhat.com>		2015-02-17 18:09:02 -05:00
..
6lowpan	net/6lowpan: Remove FSF address from GPL statement.	2014-12-05 12:43:04 +01:00
9p	9p/trans_virtio: enable VQs early	2014-10-15 10:25:04 +10:30
802	net: set name_assign_type in alloc_netdev()	2014-07-15 16:12:48 -07:00
8021q	vlan: Add ability to always enable TSO/UFO	2014-12-12 10:58:53 -05:00
appletalk	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
atm	put iov_iter into msghdr	2014-12-09 16:29:03 -05:00
ax25	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
batman-adv	batman-adv: fix potential TT client + orig-node memory leak	2015-01-06 11:07:01 +01:00
bluetooth	Bluetooth: Fix accepting connections when not using mgmt	2014-12-24 20:02:00 +01:00
bridge	bridge: only provide proxy ARP when CONFIG_INET is enabled	2015-01-14 15:08:02 -05:00
caif	put iov_iter into msghdr	2014-12-09 16:29:03 -05:00
can	can: fix spelling errors	2014-12-07 21:22:05 +01:00
ceph	libceph: fix sparse endianness warnings	2015-01-08 20:36:57 +03:00
core	neighbour: fix base_reachable_time(_ms) not effective immediatly when changed	2015-01-14 00:28:00 -05:00
dcb	dcbnl : Disable software interrupts before taking dcb_lock	2014-11-16 14:50:52 -05:00
dccp	net: introduce helper macro for_each_cmsghdr	2014-12-10 22:41:55 -05:00
decnet	new helper: memcpy_to_msg()	2014-11-24 04:28:51 -05:00
dns_resolver	Merge commit 'v3.16' into next	2014-10-01 00:44:04 +10:00
dsa	Driver core patches for 3.19-rc1	2014-12-14 16:10:09 -08:00
ethernet	net: Add function for parsing the header length out of linear ethernet frames	2014-09-05 17:47:02 -07:00
hsr	net/hsr: Remove left-over never-true conditional code.	2014-07-11 15:04:40 -07:00
ieee802154	Merge tag 'master-2014-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next	2014-12-09 18:12:03 -05:00
ipv4	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2015-01-12 00:14:49 -05:00
ipv6	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2015-01-12 00:14:49 -05:00
ipx	switch ipxrtr_route_packet() from iovec to msghdr	2014-11-24 04:28:49 -05:00
irda	irda: Convert function pointer arrays and uses to const	2014-12-10 15:33:16 -05:00
iucv	net: introduce helper macro for_each_cmsghdr	2014-12-10 22:41:55 -05:00
key	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
l2tp	ip_generic_getfrag, udplite_getfrag: switch to passing msghdr	2014-12-09 16:28:22 -05:00
lapb	lapb: move EXPORT_SYMBOL after functions.	2014-10-24 15:51:42 -04:00
llc	llc: Make llc_sap_action_t function pointer arrays const	2014-12-10 15:21:24 -05:00
mac80211	Revert "mac80211: Fix accounting of the tailroom-needed counter"	2015-01-05 10:33:46 +01:00
mac802154	mac802154: use goto label on failure	2014-12-05 14:18:42 +01:00
mpls	mpls: Fix allowed protocols for mpls gso	2014-12-23 23:57:31 -05:00
netfilter	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2015-01-12 00:14:49 -05:00
netlabel	netlabel: kernel-doc warning fix	2014-10-09 01:40:05 -04:00
netlink	genetlink: A genl_bind() to an out-of-range multicast group should not WARN().	2014-12-29 16:31:49 -05:00
netrom	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
nfc	Merge tag 'master-2014-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next	2014-12-09 18:12:03 -05:00
openvswitch	openvswitch: packet messages need their own probe attribtue	2015-01-14 16:49:44 -05:00
packet	packet: bail out of packet_snd() if L2 header creation fails	2015-01-11 21:54:03 -05:00
phonet	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
rds	rds: Fix min() warning in rds_message_inc_copy_to_user()	2014-12-15 11:49:09 -05:00
rfkill	Driver core patches for 3.19-rc1	2014-12-14 16:10:09 -08:00
rose	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
rxrpc	net: introduce helper macro for_each_cmsghdr	2014-12-10 22:41:55 -05:00
sched	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2014-12-10 15:48:20 -05:00
sctp	net: introduce helper macro for_each_cmsghdr	2014-12-10 22:41:55 -05:00
sunrpc	svcrpc: fix memory leak in gssp_accept_sec_context_upcall	2015-02-17 18:09:02 -05:00
switchdev	bridge: call netdev_sw_port_stp_update when bridge port STP status changes	2014-12-02 20:01:22 -08:00
tipc	tipc: fix bug in broadcast retransmit code	2015-01-12 16:01:59 -05:00
unix	put iov_iter into msghdr	2014-12-09 16:29:03 -05:00
vmw_vsock	put iov_iter into msghdr	2014-12-09 16:29:03 -05:00
wimax	wimax: convert printk to pr_foo()	2014-10-07 20:28:44 -04:00
wireless	Revert "cfg80211: make WEXT compatibility unselectable"	2014-12-30 16:42:29 -08:00
x25	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
xfrm	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next	2014-12-08 21:30:21 -05:00
compat.c	put iov_iter into msghdr	2014-12-09 16:29:03 -05:00
Kconfig	net: introduce generic switch devices support	2014-12-02 20:01:20 -08:00
Makefile	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2014-12-16 15:53:03 -08:00
socket.c	[regression] chunk lost from bd9b51	2014-12-19 07:13:21 -05:00
sysctl_net.c