Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2422815ybz; Sun, 3 May 2020 00:25:44 -0700 (PDT) X-Google-Smtp-Source: APiQypIualhmpiRkOCl6Q0EPu1XtVnDf5nYyZzEHW4Nw2qdEXbyFvnlAl8vXnNTeR5zILeNUbBYk X-Received: by 2002:a05:6402:1cac:: with SMTP id cz12mr9557931edb.373.1588490743916; Sun, 03 May 2020 00:25:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588490743; cv=none; d=google.com; s=arc-20160816; b=b2tVS22lbT0vkmzFEV6/gN6QykjxOnFDwqC5hEOxGYScjQAv1XY7yjaG9BhUdjUQLX zWv8yii2Fp8k+j8VaBZP1nye69PUB8IRuteGVdA8DkZq/LAwZ9iES8qg6yhrQ3PY/JdP zyuygl727JTMj4EceD+XgfDjnCqfwLN8FdkkMz8th8K+JJ5JbbAKwXcC9BtFlyTrrLkJ nRefYX2TVk3tqdF7knUJrD9wbS0WI82jMrkfTpNajQdZefR7AQozo5tjezuj+cE6+bUl T6bqBdvKQZpp9gs5RvmRzppF9bSiG+SNTTHsczUs5QXBkmTtA3WRAzJOnv3jMzKc8bV3 qOhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :mime-version:dkim-signature; bh=b4mG499CkMqZjFhS8bYtPVw3fyP4aI1ovdFZN6rNyPk=; b=SFZTLuU8Vm3K69fC6mnR9Jb2DN3SlUBbaThydwmRct8YirUbAvmLyvXDqIY0S8D//N 1KO4OQXZE3QLDdSlCmNJUP5KY/g/EUSbIzoHj9lFBzjwyMF3mXT8AZUm8MC7soIltil+ sCaeLnUdTMiYqShGPWhxBwp/C+FOc4KJrF/D4DzKpCE52BbAh6rzoKmQeQb5jMCZ6bqm WG/+tafsINz9Jo8dzKhEbh0LhYOwKA5m/8yUcCU6gmuYehSqxzG16WzoXeLM1YwI92J7 GlaJJAslSmZMNcp08p4gH/HfXfm/HlDjBC8cRCw1BwljY1PuH7ALoaTSippNwmsnfib6 hlfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=JYYUwR6Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si4928576edf.138.2020.05.03.00.25.19; Sun, 03 May 2020 00:25:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=JYYUwR6Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727093AbgECHXu (ORCPT + 99 others); Sun, 3 May 2020 03:23:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726962AbgECHXu (ORCPT ); Sun, 3 May 2020 03:23:50 -0400 Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2ADAFC061A0C for ; Sun, 3 May 2020 00:23:50 -0700 (PDT) Received: by mail-io1-xd2c.google.com with SMTP id w4so9047192ioc.6 for ; Sun, 03 May 2020 00:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=b4mG499CkMqZjFhS8bYtPVw3fyP4aI1ovdFZN6rNyPk=; b=JYYUwR6YCiGSJ79XpBwNe1deCLuCPWkhcZDttDeo7xCElu3sEF0crkon3i/YoXxd4h P5eve46cmE+G3vAiqhsQ/5rMixqJfdgjkXCaV10scwb/XW2EQI/Zq1IpGtf9QLGUdUif bZaT/9E81YDrVMBRnUlF7rZX0QCYQxEwIkGmZS9NeuNaH8PAh9A0VLmBn0cmoLyGlvsX NjSh3rFAZ9yL3EQ5jZHsIYzDLtXJaWPdeGdL7fAAKdnfBKJtmVYu90+VdoLo8kkV9CY0 nXLHmaBOWFskfTRMwrmdYkB9Oy1ZUyZd6s66Op/+mFEgpWDixNA7OhWFuoSrGdFNGVbm 3awg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=b4mG499CkMqZjFhS8bYtPVw3fyP4aI1ovdFZN6rNyPk=; b=brQ03peR/6TMZHwfMNC6S7COxZcZfP1KGkmTuPG3PK2WsUlvpjsdvAMDqSIQmWCT9y T9KuzH1RPgV/+zY+agmbICiqRXPEBdbeoaKIQ5ZRQm7NZGbSOOIFoVPK0mFGfK1t7DCS 1aTeujExN7lG+Pe245x9wIHedoPBhjvbNU9ib8DG6zdoX+BV4vU09OpVIyK9EUphMeRX YoCyo/QP5LyA91LnlBN847Fi2IwadUH5yrrriE/I2BBkkN+9ywf6FSkdbYp9bcdx3AWQ G8rFe10IIM1auROa+c2MPbzAjXHamQkc7dnV5xPHTGqJlIaaLQnGb/neCTdR8p6S3UjI SKUw== X-Gm-Message-State: AGi0PuaFlsgfXooPsj1OuCc9Gz9y1MHRHa9IWKC56NnqxHrRXgmdoeQo MMXt6IjD1Mr8/IwtsxbuajE1iNbsapHo4l5TofH13ra0wds= X-Received: by 2002:a5d:9c09:: with SMTP id 9mr10954250ioe.26.1588490629077; Sun, 03 May 2020 00:23:49 -0700 (PDT) MIME-Version: 1.0 From: Dongyang Zhan Date: Sun, 3 May 2020 15:23:37 +0800 Message-ID: Subject: Possible memory leak in unxz() To: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I am a security researcher, my name is Dongyang Zhan. I found a potential bug. I hope you can help me to confirm it. Thank you. Possible memory leak in Linux 4.10.17. The function unxz() in /lib/decompress_unxz.c forgets to free the pointer 'in', when the statement if (fill == NULL && flush == NULL) is true. Source code and comments: if (in == NULL) { must_free_in = true; in = malloc(XZ_IOBUF_SIZE); if (in == NULL) goto error_alloc_in; } b.in = in; b.in_pos = 0; b.in_size = in_size; b.out_pos = 0; if (fill == NULL && flush == NULL) { ret = xz_dec_run(s, &b); // When this statement is true, it will jumps to the switch statement. But the allocated 'in' is not freed before return. } else { ..... } ..... switch (ret) { case XZ_STREAM_END: return 0; case XZ_MEM_ERROR: /* This can occur only in multi-call mode. */ error("XZ decompressor ran out of memory"); break; case XZ_FORMAT_ERROR: error("Input is not in the XZ format (wrong magic bytes)"); break; case XZ_OPTIONS_ERROR: error("Input was encoded with settings that are not " "supported by this XZ decoder"); break; case XZ_DATA_ERROR: case XZ_BUF_ERROR: error("XZ-compressed data is corrupt"); break; default: error("Bug in the XZ decompressor"); break; } return -1; ....