kern/44207: memory-leak in raid-ioctl(RAIDFRAME_GET_COMPONENT_LABEL)

[Wolfgang.Stukenbrock%nagler-company.com@localhost]

>Number:         44207
>Category:       kern
>Synopsis:       memory-leak in raid-ioctl(RAIDFRAME_GET_COMPONENT_LABEL)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 08 15:15:00 +0000 2010
>Originator:     Dr. W. Stukenbrock
>Release:        NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
        
        
System: NetBSD test-s0 4.0 NetBSD 4.0 (NSW-WS) #0: Tue Aug 17 17:28:09 CEST 
2010 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
        While adding support for parity-maps handling the ioctl code for 
RAIDFRAME_GET_COMPONENT_LABEL
        has been changed.
        Accedently the memory allocated for the copyin is neither checked for 
an allocation error
        anymore, nor the memory is freed on copyin() error or bad values in the 
just copied in parameter.

        Another problem during attach of the raidframe driver is, that the 
number of available
        raid devices is not reset to 0 if no memory for the softc structures 
can be allocated.
        This of cause will be a very rare situation, but if it happens access 
to not-allocated
        memory may happen. (Found by checking all RF_Malloc()'s in this file 
...)
>How-To-Repeat:
        Found by a look into the sources.
        You may trigger it by passing bad values in the parameter for the 
component-label-column.
>Fix:
        The following fix will remove both problems.

--- rf_netbsdkintf.c    2010/12/08 14:51:01     1.4
+++ rf_netbsdkintf.c    2010/12/08 15:03:48
@@ -387,6 +387,7 @@
                       M_RAIDFRAME, M_NOWAIT);
        if (raid_softc == NULL) {
                aprint_error("WARNING: no memory for RAIDframe driver\n");
+               num_raid = 0; /* reset number of raid devices to 0 - no memory 
in our strucutres !!! */
                return;
        }
 
@@ -1226,11 +1227,14 @@
                 * copy and hit the disk, as with disklabel(8).
                 */
                RF_Malloc(clabel, sizeof(*clabel), (RF_ComponentLabel_t *));
+               if (clabel == NULL)
+                       return (ENOMEM);
 
                retcode = copyin( *clabel_ptr, clabel,
                                  sizeof(RF_ComponentLabel_t));
 
                if (retcode) {
+                       RF_Free(clabel, sizeof(*clabel));
                        return(retcode);
                }
 
@@ -1240,6 +1244,7 @@
 
                if ((column < 0) || (column >= raidPtr->numCol +
                                     raidPtr->numSpare)) {
+                       RF_Free(clabel, sizeof(*clabel));
                        return(EINVAL);
                }
 

>Unformatted: