From 50fbd977733d1cbafe75baf4b50424434dcfea8c Mon Sep 17 00:00:00 2001
From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date: Tue, 5 Apr 2016 22:41:05 +0530
Subject: lkdtm: fix memory leak of val

This case is supposed to read from a page after after it is freed, but
it missed freeing val if we are not able to get a free page.

Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/misc/lkdtm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'drivers/misc')

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 5f1a36b8fbb0..2f0b02248761 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -498,12 +498,13 @@ static void lkdtm_do_action(enum ctype which)
 	}
 	case CT_READ_BUDDY_AFTER_FREE: {
 		unsigned long p = __get_free_page(GFP_KERNEL);
-		int saw, *val = kmalloc(1024, GFP_KERNEL);
+		int saw, *val;
 		int *base;
 
 		if (!p)
 			break;
 
+		val = kmalloc(1024, GFP_KERNEL);
 		if (!val)
 			break;
 
-- 
cgit v1.2.3


From d2e10088ce01191748857296999b8c24a9a51959 Mon Sep 17 00:00:00 2001
From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date: Tue, 5 Apr 2016 22:41:06 +0530
Subject: lkdtm: fix memory leak of base

This case is supposed to read from a memory after it has been freed,
but we missed freeing base if the memory 'val' could not be allocated.

Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/misc/lkdtm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'drivers/misc')

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 2f0b02248761..5b3a63c87ec9 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -458,8 +458,10 @@ static void lkdtm_do_action(enum ctype which)
 			break;
 
 		val = kmalloc(len, GFP_KERNEL);
-		if (!val)
+		if (!val) {
+			kfree(base);
 			break;
+		}
 
 		*val = 0x12345678;
 		base[offset] = *val;
-- 
cgit v1.2.3


From 3d085c7413d32bb6895e5b9b5ee6a7d2180159c5 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 6 Apr 2016 15:53:27 -0700
Subject: lkdtm: do not leak free page on kmalloc failure

This frees the allocated page if there is a kmalloc failure.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/misc/lkdtm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'drivers/misc')

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 5b3a63c87ec9..0a5cbbe12452 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -507,8 +507,10 @@ static void lkdtm_do_action(enum ctype which)
 			break;
 
 		val = kmalloc(1024, GFP_KERNEL);
-		if (!val)
+		if (!val) {
+			free_page(p);
 			break;
+		}
 
 		base = (int *)p;
 
-- 
cgit v1.2.3