summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2010-04-20 22:41:18 +0100
committerJames Morris <jmorris@namei.org>2010-04-21 09:20:35 +1000
commiteff30363c0b8b057f773108589bfd8881659fe74 (patch)
tree6ae631c2fa01174a24da347b68fc25f0c350bc2b
parent05ce7bfe547c9fa967d9cab6c37867a9cb6fb3fa (diff)
downloadlinux-stable-eff30363c0b8b057f773108589bfd8881659fe74.tar.gz
linux-stable-eff30363c0b8b057f773108589bfd8881659fe74.tar.bz2
linux-stable-eff30363c0b8b057f773108589bfd8881659fe74.zip
CRED: Fix double free in prepare_usermodehelper_creds() error handling
Patch 570b8fb505896e007fd3bb07573ba6640e51851d: Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Date: Tue Mar 30 00:04:00 2010 +0100 Subject: CRED: Fix memory leak in error handling attempts to fix a memory leak in the error handling by making the offending return statement into a jump down to the bottom of the function where a kfree(tgcred) is inserted. This is, however, incorrect, as it does a kfree() after doing put_cred() if security_prepare_creds() fails. That will result in a double free if 'error' is jumped to as put_cred() will also attempt to free the new tgcred record by virtue of it being pointed to by the new cred record. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--kernel/cred.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/cred.c b/kernel/cred.c
index e1dbe9eef800..ce1a52b9e8a3 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -398,6 +398,8 @@ struct cred *prepare_usermodehelper_creds(void)
error:
put_cred(new);
+ return NULL;
+
free_tgcred:
#ifdef CONFIG_KEYS
kfree(tgcred);