Posix ACL object is leaked in several places upon setattr and fsetxattr syscalls

Solution Verified - Updated -

Issue

  • Kernel leaks posix acl object on ACL_TYPE_ACCESS operation
[  708.617544] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
...
# cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff8e77eb8ed740 (size 64):
  comm "cp", pid 2020, jiffies 4294846037 (age 1228.415s)
  hex dump (first 32 bytes):
    01 00 00 00 77 8e ff ff 65 64 5f 75 3a 6f 62 6a  ....w...ed_u:obj
    03 00 00 00 01 00 07 00 6d 69 6e 5f 04 00 05 00  ........min_....
  backtrace:
    [<ffffffffbb280c5c>] __kmalloc+0x14c/0x430
    [<ffffffffbb32891c>] posix_acl_alloc+0x1c/0x30
    [<ffffffffbb3293e2>] posix_acl_from_xattr+0x82/0x190
    [<ffffffffc0afc192>] ext4_xattr_set_acl+0x92/0x2e0 [ext4]
    [<ffffffffbb2de6eb>] generic_setxattr+0x6b/0x90
    [<ffffffffbb2def65>] __vfs_setxattr_noperm+0x65/0x1b0
    [<ffffffffbb2df165>] vfs_setxattr+0xb5/0xc0
    [<ffffffffbb2df2cc>] setxattr+0x15c/0x1f0
    [<ffffffffbb2df7ce>] SyS_fsetxattr+0xce/0x110
    [<ffffffffbb88fa92>] system_call_fastpath+0x25/0x2a
    [<ffffffffffffffff>] 0xffffffffffffffff
  • This leak, for example, appears on each fsetxattr call, thus allowing an arbitrary user to exhaust all the kernel memory.

Environment

  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In