[dm-devel] [PATCH] Wipe buffer even if vamlloc fails

[Milan Broz]

We can honor secure data flag even when allocation
of local buffer fails but user params is valid.

Signed-off-by: Milan Broz <mbroz at redhat.com>
---
 drivers/md/dm-ioctl.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 516def2..4cacdad 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1504,6 +1504,7 @@ static int check_version(unsigned int cmd, struct dm_ioctl __user *user)
 static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl **param)
 {
 	struct dm_ioctl tmp, *dmi;
+	int secure_data;
 
 	if (copy_from_user(&tmp, user, sizeof(tmp) - sizeof(tmp.data)))
 		return -EFAULT;
@@ -1511,23 +1512,27 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl **param)
 	if (tmp.data_size < (sizeof(tmp) - sizeof(tmp.data)))
 		return -EINVAL;
 
+	secure_data = tmp.flags & DM_SECURE_DATA_FLAG;
+
 	dmi = vmalloc(tmp.data_size);
-	if (!dmi)
+	if (!dmi) {
+		if (secure_data && clear_user(user, tmp.data_size))
+			return -EFAULT;
 		return -ENOMEM;
+	}
 
 	if (copy_from_user(dmi, user, tmp.data_size))
 		goto bad;
 
 	/* Wipe the user buffer so we do not return it to userspace */
-	if ((tmp.flags & DM_SECURE_DATA_FLAG) &&
-	    clear_user(user, tmp.data_size))
+	if (secure_data && clear_user(user, tmp.data_size))
 		goto bad;
 
 	*param = dmi;
 	return 0;
 
 bad:
-	if (tmp.flags & DM_SECURE_DATA_FLAG)
+	if (secure_data)
 		memset(dmi, 0, tmp.data_size);
 	vfree(dmi);
 	return -EFAULT;
-- 
1.7.2.3