Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3226168ybz; Sun, 3 May 2020 21:13:26 -0700 (PDT) X-Google-Smtp-Source: APiQypJUbQJmSbIwr9z8xbjP52gGzo6L+9ah1b3uhZQc6yKkpw2Xr7y4CqpUb4c/L2sYOgOIgo+A X-Received: by 2002:a05:6402:1d09:: with SMTP id dg9mr13284095edb.118.1588565606217; Sun, 03 May 2020 21:13:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588565606; cv=none; d=google.com; s=arc-20160816; b=pdxULQFKf/zze40sW46KUnFB+L03AcB9Y2p7yfs5CMuzAs21t/6BgV7Hn+i4r8DW8A XLh0Q/bBEVXVUCtyDnsE5NgILKoTG/JK5amW/zCvGVJgkpL5zwwKEBwnoEU3pTuzSOyu d6B0bLUO5WJDxI+uC5GysOoM7vp4b9Gcp5cM0tPdIQc6GOSdHOGsOIW7ebdjwiQCPn0S bfYEfr4rtyB7MM/NWoP9IeF5m02RRK103ue8ohmH9EQ3ivW+vcObyelh8XzXjsRjnVwk Z7NjXOGl34jClRwbK88rmTpWxf1jRYbjFlYHD++clOSYfbOn3/jj+G1ueAYWnzuhLK6V 7kdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=+OROLZS0Nu6tDBEkHr8N8/CLWS2Ua8zrfFXn7uV44cs=; b=A/b/TAqDN6O67nzTB953X2GDT7QfbcMdUCMZeamE9ZgsqDXQ0usspWDo3Wk9UI2Rdv SLy9JffQ42zk/8LZ7+v3n48xeB66LrsfyGg8TdO7N2hf3T3ltZnEgtbXL5JAepNh7ZIw Qx2fjwnkimBSG34+IkWjf4qGIjQZWWghz8wICKuP8BwPIWGtTDMqUf6a6QY8L1ptpu9N nt46CrMvpDJ4SiacuiDdqGAHAQK28zwq9zspA25KFiKTlUUrVoEjjAIli2BE5bL2i+Nu rD6o+SC5q5AQ5x8B+CjBCrP1O9UDjA3741Kiuc0DuaVFhvY6DnAtwyOem+B4rJv3D1uh Y8IQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=SIRhBzc9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ch10si6106369edb.454.2020.05.03.21.13.03; Sun, 03 May 2020 21:13:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=SIRhBzc9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727092AbgEDD6F (ORCPT + 99 others); Sun, 3 May 2020 23:58:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726404AbgEDD6F (ORCPT ); Sun, 3 May 2020 23:58:05 -0400 Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21747C061A0E for ; Sun, 3 May 2020 20:58:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To: Subject:Sender:Reply-To:Cc:Content-ID:Content-Description; bh=+OROLZS0Nu6tDBEkHr8N8/CLWS2Ua8zrfFXn7uV44cs=; b=SIRhBzc9xhTkn34ZB5v8mEQt7M drV08fpCuWQxzTJrfchKZTtUl3tGd3WhJFPcjQB2Iizn1KRWq63purk4ygvbnXJ66Ja9lcTgBvw0f BSr7NDyhnYo6/mAQU1piQCROJGn4Fzlk81X518rCJOA1EWsl2QHewgzqmAOLY6zRMeOeswa5x5U0C i2+MKT5HJtV0mOqu/G8QyCimRCqiMIhK1Ywd0J3P998ACBWAoBrXGiCFKfHR+eXkPW52HVNQvXAmp ySAbLXHkJkHvhlXz9l4MjJadr2NSavg3A/Q+ahik0sF8zsEfYyCzQA35mz/gYBJHwmUa+dbKJUJ1T ip6oKJ1Q==; Received: from [2601:1c0:6280:3f0::19c2] by bombadil.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jVSF2-00021G-AH; Mon, 04 May 2020 03:58:04 +0000 Subject: Re: Possible memory leak in unxz() To: Dongyang Zhan , linux-kernel@vger.kernel.org, Lasse Collin References: From: Randy Dunlap Message-ID: Date: Sun, 3 May 2020 20:58:02 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/3/20 12:23 AM, Dongyang Zhan wrote: > Hi, > > I am a security researcher, my name is Dongyang Zhan. I found a potential bug. > > I hope you can help me to confirm it. > > Thank you. > > Possible memory leak in Linux 4.10.17. The function unxz() in It would be more helpful if you could focus on more recent/current source code. If someone makes a patch for current source code and it needs to be backported to older kernels, then that would [normally] happen. > /lib/decompress_unxz.c forgets to free the pointer 'in', when the > statement if (fill == NULL && flush == NULL) is true. Adding xz contributor to email. I think that you are correct. (I am looking at 5.7-rc4.) However, I don't see any calls to __decompress() in the Linux kernel that pass a first argument of NULL, so while the code in unxz() could be fixed, we aren't currently leaking any memory AFAICT. > Source code and comments: > > if (in == NULL) { > must_free_in = true; > in = malloc(XZ_IOBUF_SIZE); > if (in == NULL) > goto error_alloc_in; > } > > b.in = in; > b.in_pos = 0; > b.in_size = in_size; > b.out_pos = 0; > > if (fill == NULL && flush == NULL) { > ret = xz_dec_run(s, &b); // When this statement is true, it will jumps > to the switch statement. But the allocated 'in' is not freed before > return. > } else { > ..... > } > ..... > switch (ret) { > case XZ_STREAM_END: > return 0; > > case XZ_MEM_ERROR: > /* This can occur only in multi-call mode. */ > error("XZ decompressor ran out of memory"); > break; > > case XZ_FORMAT_ERROR: > error("Input is not in the XZ format (wrong magic bytes)"); > break; > > case XZ_OPTIONS_ERROR: > error("Input was encoded with settings that are not " > "supported by this XZ decoder"); > break; > > case XZ_DATA_ERROR: > case XZ_BUF_ERROR: > error("XZ-compressed data is corrupt"); > break; > > default: > error("Bug in the XZ decompressor"); > break; > } > > return -1; > .... thanks. -- ~Randy