Possible memory leak in unxz()

[Dongyang Zhan]

Hi,

I am a security researcher, my name is Dongyang Zhan. I found a potential bug.

I hope you can help me to confirm it.

Thank you.

Possible memory leak in Linux 4.10.17. The function unxz() in
/lib/decompress_unxz.c forgets to free the pointer 'in', when  the
statement if (fill == NULL && flush == NULL) is true.

Source code and comments:

if (in == NULL) {
must_free_in = true;
in = malloc(XZ_IOBUF_SIZE);
if (in == NULL)
goto error_alloc_in;
}

b.in = in;
b.in_pos = 0;
b.in_size = in_size;
b.out_pos = 0;

if (fill == NULL && flush == NULL) {
ret = xz_dec_run(s, &b); // When this statement is true, it will jumps
to the switch statement. But the allocated 'in' is not freed before
return.
} else {
.
}
.
switch (ret) {
case XZ_STREAM_END:
return 0;

case XZ_MEM_ERROR:
/* This can occur only in multi-call mode. */
error("XZ decompressor ran out of memory");
break;

case XZ_FORMAT_ERROR:
error("Input is not in the XZ format (wrong magic bytes)");
break;

case XZ_OPTIONS_ERROR:
error("Input was encoded with settings that are not "
"supported by this XZ decoder");
break;

case XZ_DATA_ERROR:
case XZ_BUF_ERROR:
error("XZ-compressed data is corrupt");
break;

default:
error("Bug in the XZ decompressor");
break;
}

return -1;

Possible null pointer dereference in smp_init_package_map()

[Dongyang Zhan]

Hi,

I am a security researcher, my name is Dongyang Zhan. I found a potential bug.

I hope you can help me to confirm it.

Thank you.

In Linux 4.10.17, smp_init_package_map() in /arch/x86/kernel/smpboot.c
does not handle the failure of memory allocation, which may cause a
null pointer dereference bug.

Source code link:
https://elixir.bootlin.com/linux/v4.10.17/source/arch/x86/kernel/smpboot.c#L326

Source code and comments:
physical_to_logical_pkg = kmalloc(size, GFP_KERNEL);
memset(physical_to_logical_pkg, 0xff, size); // does not check if kmalloc fails

Fwd: Possible null pointer dereference caused by vmstat_start()

[Dongyang Zhan]

发件人： Dongyang Zhan 
Date: 2020年5月3日周日 下午1:45
Subject: Possible null pointer dereference caused by vmstat_start()
To: 
Cc: 


In Linux 4.10.17, vmstat_start() stores the results of v =
kmalloc(stat_items_size, GFP_KERNEL) in m->private = v before security
check. If m->private is accessed, it may cause null pointer
dereference.

Source code link:
https://elixir.bootlin.com/linux/v4.10.17/source/mm/vmstat.c#L1465

Source code;
v = kmalloc(stat_items_size, GFP_KERNEL);
m->private = v; //stores v before check;
if (!v)
 return ERR_PTR(-ENOMEM);

Function rdtgroup_seqfile_show() in
arch/x86/kernel/cpu/intel_rdt_rdtgroup.c access this pointer without
check, which is a possible bug.

Link:
https://elixir.bootlin.com/linux/v4.10.17/source/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c#150
Source Code
static int rdtgroup_seqfile_show(struct seq_file *m, void *arg)
{
struct kernfs_open_file *of = m->private;
struct rftype *rft = of->kn->priv; // without check;

if (rft->seq_show)
return rft->seq_show(of, m, arg);
return 0;
}