BLASTing Linux Code

Jan Tobias Mühlberg and Gerald Lüttgen
Department of Computer Science, University of York, York YO10 5DD, U.K.


main page | next example


Commit Overview | Files | Comments

Checking Memory Safety: Example 2


Commit Overview

Commit Key 2d6eac6c4fdaa69656d66c80754d267be233cc3f
Subject [PATCH] drivers/infiniband/core/mad.c: fix a use-after-free
Description The Coverity checker spotted this obvious use-after-free caused by a wrong order of the cleanups.
Requires Linux 2.6.14 kernel source as from git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/linux-2.6.14.y.git

--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -356,9 +356,9 @@ error4:
spin_unlock_irqrestore(&port_priv->reg_lock, flags);
kfree(reg_req);
error3:
- kfree(mad_agent_priv);
-error2:
ib_dereg_mr(mad_agent_priv->agent.mr);
+error2:
+ kfree(mad_agent_priv);
error1:
return ret;
}

(purple: line numbers and function names; red: line removed; green: line added)

Files

Unmodified sources

Comments

This example is actually quite similar to example 1. The bug results from a wrong oder of the labels used in the different error cases. If the execution of ib_register_mad_agent() ever jumps to either error4 or error3, it will first release the pointer mad_agent_priv in line 359 but de-reference it again in line 361.

While experimenting with this error, we experienced the same problems as with example 1.

Source: http://www.kernel.org



Jan Tobias Mühlberg, $Date$