Skip to content

Commit

Permalink
CRED: Fix double free in prepare_usermodehelper_creds() error handling
Browse files Browse the repository at this point in the history 
Patch 570b8fb:

	Author: Mathieu Desnoyers <[email protected]>
	Date:   Tue Mar 30 00:04:00 2010 +0100
	Subject: CRED: Fix memory leak in error handling

attempts to fix a memory leak in the error handling by making the offending
return statement into a jump down to the bottom of the function where a
kfree(tgcred) is inserted.

This is, however, incorrect, as it does a kfree() after doing put_cred() if
security_prepare_creds() fails.  That will result in a double free if 'error'
is jumped to as put_cred() will also attempt to free the new tgcred record by
virtue of it being pointed to by the new cred record.

Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
  • Loading branch information
@dhowells
dhowells authored and James Morris committed Apr 20, 2010
1 parent 05ce7bf commit eff3036
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions kernel/cred.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)

error:
put_cred(new);
return NULL;

free_tgcred:
#ifdef CONFIG_KEYS
kfree(tgcred);
Expand Down

0 comments on commit eff3036

Please sign in to comment.