If an error (NULL) is returned by krealloc(), callers of realloc_array()
were setting their allocation pointers to NULL, but on error krealloc()
does not touch the original allocation. This would result in a memory
resource leak. Instead, free the old allocation on the error handling
path.
The memory leak information is as follows as also reported by Zhengchao:
unreferenced object 0xffff888019801800 (size 256):
comm "bpf_repo", pid 6490, jiffies
4294959200 (age 17.170s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<
00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0
[<
0000000086712a0b>] krealloc+0x83/0xd0
[<
00000000139aab02>] realloc_array+0x82/0xe2
[<
00000000b1ca41d1>] grow_stack_state+0xfb/0x186
[<
00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341
[<
0000000081780455>] do_check_common+0x5358/0xb350
[<
0000000015f6b091>] bpf_check.cold+0xc3/0x29d
[<
000000002973c690>] bpf_prog_load+0x13db/0x2240
[<
00000000028d1644>] __sys_bpf+0x1605/0x4ce0
[<
00000000053f29bd>] __x64_sys_bpf+0x75/0xb0
[<
0000000056fedaf5>] do_syscall_64+0x35/0x80
[<
000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: c69431aab67a ("bpf: verifier: Improve function state reallocation")
Reported-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reported-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Bill Wendling <morbo@google.com>
Cc: Lorenz Bauer <oss@lmb.io>
Link: https://lore.kernel.org/bpf/20221029025433.2533810-1-keescook@chromium.org
*/
static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size)
{
+ void *new_arr;
+
if (!new_n || old_n == new_n)
goto out;
- arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
- if (!arr)
+ new_arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
+ if (!new_arr) {
+ kfree(arr);
return NULL;
+ }
+ arr = new_arr;
if (new_n > old_n)
memset(arr + old_n * size, 0, (new_n - old_n) * size);