Two double free bugs found in Android kernel code branch jason-n-oss, mido-n-oss, riva-n-oss, sagit-n-oss, sagit-o-oss, scorpio-n-oss and tissot-o-oss.
Two double free bug exists in kernel. In file fs/namespace.c, function free_vfsmnt is used to free the memory of struct mount mnt and the first statement is kfree(mnt->mnt.data);. Function vfs_kern_mount frees the object mnt->mnt.data twice kfree(mnt->mnt.data) and free_vfsmnt(mnt), resulting a double free bug.
scafroglia93
commented
5 years ago
Two double free bugs found in Android kernel code branch jason-n-oss, mido-n-oss, riva-n-oss, sagit-n-oss, sagit-o-oss, scorpio-n-oss and tissot-o-oss.
Two double free bug exists in kernel. In file fs/namespace.c, function free_vfsmnt is used to free the memory of struct mount mnt and the first statement is kfree(mnt->mnt.data);. Function vfs_kern_mount frees the object mnt->mnt.data twice kfree(mnt->mnt.data) and free_vfsmnt(mnt), resulting a double free bug.
The bug of fs/namespace.c is located in these releases jason-n-oss, mido-n-oss, riva-n-oss, sagit-n-oss, sagit-o-oss, scorpio-n-oss and tissot-o-oss. For example https://github.com/MiCode/Xiaomi_Kernel_OpenSource/blob/sagit-o-oss/fs/namespace.c
static void free_vfsmnt(struct mount *mnt) {
kfree(mnt->mnt.data); kfree_const(mnt->mnt_devname);
ifdef CONFIG_SMP
endif
}
mnt->mnt.data = NULL; if (type->alloc_mnt_data) { mnt->mnt.data = type->alloc_mnt_data(); if (!mnt->mnt.data) { mnt_free_id(mnt); free_vfsmnt(mnt); return ERR_PTR(-ENOMEM); } } if (flags & MS_KERNMOUNT) mnt->mnt.mnt_flags = MNT_INTERNAL;
root = mount_fs(type, flags, name, &mnt->mnt, data); if (IS_ERR(root)) { kfree(mnt->mnt.data); mnt_free_id(mnt); free_vfsmnt(mnt); return ERR_CAST(root); }
Similarly, in function clone_mnt, mnt->mnt.data is freed twice, causing a double free bug.
static struct mount clone_mnt(struct mount old, struct dentry *root, int flag) {
out_free: kfree(mnt->mnt.data); mnt_free_id(mnt); free_vfsmnt(mnt); return ERR_PTR(err); }
Kernel memory leak detection output follows.
[ 27.073399] BUG kmalloc-128 (Tainted: G B W ): Object already free [ 27.073405] -----------------------------------------------------------------------------\x0a [ 27.073421] INFO: Allocated in sdcardfs_alloc_mnt_data+0x2c/0x34 age=0 cpu=5 pid=1912 [ 27.073431] \x09alloc_debug_processing+0x128/0x17c [ 27.073438] \x09_slab_alloc.constprop.62+0x530/0x620 [ 27.073445] \x09slab_alloc.isra.58.constprop.61+0x24/0x34 [ 27.073451] \x09kmem_cache_alloc_trace+0xa0/0x220 [ 27.073458] \x09sdcardfs_alloc_mnt_data+0x2c/0x34 [ 27.073466] \x09vfs_kern_mount+0x68/0x1e8 [ 27.073472] \x09do_mount+0xd0c/0xea4 [ 27.073479] \x09SyS_mount+0x88/0xc0 [ 27.073486] \x09el0_svc_naked+0x24/0x28 [ 27.073494] INFO: Freed in vfs_kern_mount+0xec/0x1e8 age=0 cpu=5 pid=1912 [ 27.073501] \x09free_debug_processing+0x298/0x380 [ 27.073508] \x09slab_free+0x50/0x3d0 [ 27.073514] \x09kfree+0x264/0x290 [ 27.073520] \x09vfs_kern_mount+0xec/0x1e8 [ 27.073527] \x09do_mount+0xd0c/0xea4 [ 27.073532] \x09SyS_mount+0x88/0xc0 [ 27.073538] \x09el0_svc_naked+0x24/0x28 [ 27.073546] INFO: Slab 0xffffffbdc2222200 objects=32 used=23 fp=0xffffffc08888aa00 flags=0x4081 [ 27.073553] INFO: Object 0xffffffc08888aa00 @offset=10752 fp=0xffffffc088889c00\x0a [ 27.073565] Bytes b4 ffffffc08888a9f0: 0c 00 00 00 00 80 00 00 00 00 00 00 48 01 00 40 ............H..@ [ 27.073574] Object ffffffc08888aa00: 00 9c 88 88 c0 ff ff ff 00 00 00 28 84 00 00 04 ...........(.... [ 27.073582] Object ffffffc08888aa10: c0 00 00 40 40 00 80 00 08 00 08 00 00 00 00 00 ...@@........... [ 27.073591] Object ffffffc08888aa20: 00 00 00 00 08 08 00 00 00 80 00 40 00 00 00 08 ...........@.... [ 27.073599] Object ffffffc08888aa30: 00 00 81 00 00 00 00 00 00 28 08 00 00 00 80 c0 .........(...... [ 27.073607] Object ffffffc08888aa40: 00 00 40 00 00 08 00 00 04 0c 00 04 48 00 00 40 ..@.........H..@ [ 27.073615] Object ffffffc08888aa50: 40 04 00 00 80 00 00 00 00 04 00 04 44 40 08 00 @...........D@.. [ 27.073623] Object ffffffc08888aa60: 01 00 04 08 00 00 02 84 40 00 00 00 00 40 00 00 ........@....@.. [ 27.073631] Object ffffffc08888aa70: 00 00 80 00 01 00 00 84 00 c0 40 00 00 00 00 04 ..........@..... [ 27.073640] Padding ffffffc08888abb0: 40 00 00 00 40 00 00 00 00 00 00 08 60 00 00 20 @...@.......`.. [ 27.073647] Padding ffffffc08888abc0: 00 00 00 01 80 00 00 c0 80 08 44 00 04 84 00 40 ..........D....@ [ 27.073656] Padding ffffffc08888abd0: 02 04 00 00 00 40 40 00 00 40 00 00 00 00 04 00 .....@@..@...... [ 27.073664] Padding ffffffc08888abe0: 00 0a 00 00 00 00 80 08 40 00 25 00 00 00 02 00 ........@.%..... [ 27.073672] Padding ffffffc08888abf0: 00 80 04 00 00 84 00 00 00 00 00 00 00 00 00 00 ................ [ 27.073682] CPU: 5 PID: 1912 Comm: sdcard Tainted: G B W 4.4.78-perf #3 [ 27.073689] Hardware name: Qualcomm Technologies, Inc. MSM 8998 v2.1 MTP (DT) [ 27.073694] Call trace: [ 27.073704] [] dump_backtrace+0x0/0x220
[ 27.073712] [] show_stack+0x14/0x1c
[ 27.073720] [] dump_stack+0xa0/0xc8
[ 27.073728] [] print_trailer+0x188/0x198
[ 27.073735] [] object_err+0x3c/0x4c
[ 27.073742] [] free_debug_processing+0x278/0x380
[ 27.073749] [] slab_free+0x50/0x3d0
[ 27.073756] [] kfree+0x264/0x290
[ 27.073764] [] free_vfsmnt+0x20/0x5c
[ 27.073772] [] vfs_kern_mount+0x104/0x1e8
[ 27.073778] [] do_mount+0xd0c/0xea4
[ 27.073785] [] SyS_mount+0x88/0xc0
[ 27.073793] [] el0_svc_naked+0x24/0x28
Patch Delete the redundant statement kfree(mnt->mnt.data); before statement free_vfsmnt(mnt); in file fs/namespace.c.