[PATCH] x86_64 memleak from malicious 32bit elf program

malicious 32bit app can have an elf section at 0xffffe000.  During
exec of this app, we will have a memory leak as insert_vm_struct() is
not checking for return value in syscall32_setup_pages() and thus not
freeing the vma allocated for the vsyscall page.

Check the return value and free the vma incase of failure.

Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/arch/x86_64/ia32/syscall32.c b/arch/x86_64/ia32/syscall32.c
index 01d8db1a1c09c7bff982a740bf5222735e996893..816a3b89f13d870865d0a85353ae7a58c7386b65 100644 (file)
--- a/arch/x86_64/ia32/syscall32.c
+++ b/arch/x86_64/ia32/syscall32.c
@@ -57,6 +57,7 @@ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack)
        int npages = (VSYSCALL32_END - VSYSCALL32_BASE) >> PAGE_SHIFT;
        struct vm_area_struct *vma;
        struct mm_struct *mm = current->mm;
+       int ret;
 
        vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
        if (!vma)
@@ -78,7 +79,11 @@ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack)
        vma->vm_mm = mm;
 
        down_write(&mm->mmap_sem);
-       insert_vm_struct(mm, vma);
+       if ((ret = insert_vm_struct(mm, vma))) {
+               up_write(&mm->mmap_sem);
+               kmem_cache_free(vm_area_cachep, vma);
+               return ret;
+       }
        mm->total_vm += npages;
        up_write(&mm->mmap_sem);
        return 0;