Commit def52e20 authored May 10, 2024 by Zhipeng Lu Committed by Dong Chenchen May 10, 2024

SUNRPC: fix a memleak in gss_import_v2_context

mainline inclusion
from mainline-v6.9-rc1
commit e67b652d8e8591d3b1e569dbcdfcee15993e91fa
category: bugfix
bugzilla: 189914, https://gitee.com/src-openeuler/kernel/issues/I9L9IF
CVE: CVE-2023-52653

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e67b652d8e8591d3b1e569dbcdfcee15993e91fa



--------------------------------

The ctx->mech_used.data allocated by kmemdup is not freed in neither
gss_import_v2_context nor it only caller gss_krb5_import_sec_context,
which frees ctx on error.

Thus, this patch reform the last call of gss_import_v2_context to the
gss_krb5_import_ctx_v2, preventing the memleak while keepping the return
formation.

Fixes: 47d84807 ("gss_krb5: handle new context format from gssd")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Conflicts:
	net/sunrpc/auth_gss/gss_krb5_mech.c
[commit 279a67cd was not merged]
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent 7d91c9c7

net/sunrpc/auth_gss/gss_krb5_mech.c

+17 −4

Original line number	Diff line number	Diff line
		@@ -588,6 +588,7 @@ gss_import_v2_context(const void p, const void end, struct krb5_ctx *ctx,
		{
		int keylen;
		u32 time32;
		int ret;

		p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
		if (IS_ERR(p))
		@@ -644,16 +645,28 @@ gss_import_v2_context(const void p, const void end, struct krb5_ctx *ctx,

		switch (ctx->enctype) {
		case ENCTYPE_DES3_CBC_RAW:
		return context_derive_keys_des3(ctx, gfp_mask);
		ret = context_derive_keys_des3(ctx, gfp_mask);
		break;
		case ENCTYPE_ARCFOUR_HMAC:
		return context_derive_keys_rc4(ctx);
		ret = context_derive_keys_rc4(ctx);
		break;
		case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
		case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
		return context_derive_keys_new(ctx, gfp_mask);
		ret = context_derive_keys_new(ctx, gfp_mask);
		break;
		default:
		return -EINVAL;
		ret = -EINVAL;
		}

		if (ret) {
		p = ERR_PTR(ret);
		goto out_free;
		}

		return 0;

		out_free:
		kfree(ctx->mech_used.data);
		out_err:
		return PTR_ERR(p);
		}