From: Zhipeng Lu <alexious@zju.edu.cn>
Date: Sun, 24 Dec 2023 16:20:33 +0800
Subject: [PATCH] SUNRPC: fix a memleak in gss_import_v2_context
Git-commit: e67b652d8e8591d3b1e569dbcdfcee15993e91fa
Patch-mainline: v6.9-rc1
References: git-fixes CVE-2023-52653 bsc#1223712
The ctx->mech_used.data allocated by kmemdup is not freed in neither
gss_import_v2_context nor it only caller gss_krb5_import_sec_context,
which frees ctx on error.
Thus, this patch reform the last call of gss_import_v2_context to the
gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
formation.
Fixes: 47d848077629 ("gss_krb5: handle new context format from gssd")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Acked-by: NeilBrown <neilb@suse.com>
---
net/sunrpc/auth_gss/gss_krb5_mech.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -584,6 +584,7 @@ gss_import_v2_context(const void *p, con
gfp_t gfp_mask)
{
int keylen;
+ int ret;
p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
if (IS_ERR(p))
@@ -638,16 +639,22 @@ gss_import_v2_context(const void *p, con
switch (ctx->enctype) {
case ENCTYPE_DES3_CBC_RAW:
- return context_derive_keys_des3(ctx, gfp_mask);
+ ret = context_derive_keys_des3(ctx, gfp_mask);
+ break;
case ENCTYPE_ARCFOUR_HMAC:
- return context_derive_keys_rc4(ctx);
+ ret = context_derive_keys_rc4(ctx);
+ break;
case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
- return context_derive_keys_new(ctx, gfp_mask);
+ ret = context_derive_keys_new(ctx, gfp_mask);
+ break;
default:
- return -EINVAL;
+ ret = -EINVAL;
}
+ if (ret)
+ kfree(ctx->mech_used.data);
+ return ret;
out_err:
return PTR_ERR(p);
}