[systemd-devel] Memory leak in systemd on i686

PaX Team pageexec at freemail.hu
Mon Jan 28 09:56:55 PST 2013


On 28 Jan 2013 at 19:21, Michael Tremer wrote:

> Right when the system boots up, the PaX-enabled kernel panics because it
> apparently has found a memory leak in systemd. You can see the message
> that the kernel dumps in the attached screenshot and Stefan also got me
> an strace dump. In order to make that dump, he had to manually start
> systemd on the console.

it's a false positive from USERCOPY when fs/fhandle.c:do_sys_name_to_handle 
(in 3.7.x) does this:

	copy_to_user(mnt_id, &real_mount(path->mnt)->mnt_id, sizeof(*mnt_id))

here ->mnt_id is a struct mount instance which is allocated from a special
slab and is not marked for USERCOPY access, hence the runtime report. this
looks like a harmless infoleak so no further action is needed beyond the
obvious and simple fix: the ->mnt_id field has to be copied to a temporary
variable which can then be safely copied to userland, i'll do that in the
next patch.



More information about the systemd-devel mailing list