Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1306803ybk; Sun, 10 May 2020 12:36:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2WV9ghLZDmxvk7uFud7BTjA08sP2XSkojdz+0YCgMoVxyiVemiDExMAh5eCgqLk0b4eUB X-Received: by 2002:a50:ed8f:: with SMTP id h15mr1642303edr.331.1589139412773; Sun, 10 May 2020 12:36:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589139412; cv=none; d=google.com; s=arc-20160816; b=P2MU6vIAyzzzoP6Fd+XlP360IrGdHFVB6E0px17Z9QEQBLig37kT+YIiGsiQWMxzXJ YlroJ/TTmFWDgvvPihvHz4NkGXAie9z9apYOkwgir0wjHZCPH9skEENwVWPmYnNCS5jp o0JqU/EO+XF6T8cbcp5pGu/i+2eJEq/CX8Ex3Ar6NkB77TqSkuhI4X2GKJRI9chPgAJe 1nW1hoaKxhN3xFEc91uPxPGiNdN1jQTmpR9jNlMcFfXV2DCtKAqqoyuLklBJkhtm4clx vq2BK7HlRFLR/Rtd7WO7xiAKdkmgb0eRxY7ZnuNl18A/wbDR80nCtnh0VfKwMm+slnqZ 0bLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=CdRaJguc0QnUtpUKJXEEN8ag3ZXcRm3i4ATW3uCzEqw=; b=xm+Bj4KqUFFZBnkDD53bRMwdUiGP2/0MC3MejzicHBQsEcWLrgBaKq7oa2C7zVppxK koTvuxCWfVSWSn7IM8W/bf83p0aQ0/smVZgHsMWU88bELLjJ1Pzi+9SEt26ViCQCINhI PFrG9/IMSuT+f/qp+eEOzncVPFErfRtTJ2iM6bIMaLhxAL2qOX1GG7lvhpdfqXuMl07z Ar77eSakgaahh2qTCJoSqMIbwQgW4QKvb3DJ6m+gGOgg4NEp2qyrEspPdHYwthxmDD+x Y8OaMHMYeb81Mdw4qI8QWJaEjaUBMQJKvSH1de5ijMaGoJgJ+TwHVfqlDY8oWdM/jtJn g0YA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s8si4418047eji.349.2020.05.10.12.35.51; Sun, 10 May 2020 12:36:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729246AbgEJTYY (ORCPT + 99 others); Sun, 10 May 2020 15:24:24 -0400 Received: from mailscanner01.zoner.fi ([84.34.166.10]:53974 "EHLO mailscanner01.zoner.fi" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729113AbgEJTYX (ORCPT ); Sun, 10 May 2020 15:24:23 -0400 X-Greylist: delayed 545 seconds by postgrey-1.27 at vger.kernel.org; Sun, 10 May 2020 15:24:22 EDT Received: from www25.zoner.fi (www25.zoner.fi [84.34.147.45]) by mailscanner01.zoner.fi (Postfix) with ESMTPS id 4096440C20; Sun, 10 May 2020 22:15:05 +0300 (EEST) Received: from mail.zoner.fi ([84.34.147.244]) by www25.zoner.fi with esmtp (Exim 4.93.0.4) (envelope-from ) id 1jXrPv-0002j1-VD; Sun, 10 May 2020 22:15:15 +0300 Date: Sun, 10 May 2020 22:15:07 +0300 From: Lasse Collin To: Randy Dunlap , Dongyang Zhan Cc: linux-kernel@vger.kernel.org Subject: Re: Possible memory leak in unxz() Message-ID: <20200510221507.53c65961@tukaani.org> In-Reply-To: References: X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On 5/3/20 12:23 AM, Dongyang Zhan wrote: > > I am a security researcher, my name is Dongyang Zhan. I found a > > potential bug. Thank you for looking for bugs! On 2020-05-03 Randy Dunlap wrote: > On 5/3/20 12:23 AM, Dongyang Zhan wrote: > > /lib/decompress_unxz.c forgets to free the pointer 'in', when the > > statement if (fill == NULL && flush == NULL) is true. > > Adding xz contributor to email. > > I think that you are correct. (I am looking at 5.7-rc4.) > > However, I don't see any calls to __decompress() in the > Linux kernel that pass a first argument of NULL, so while > the code in unxz() could be fixed, we aren't currently leaking > any memory AFAICT. The supposedly leaked memory is allocated only when in == NULL, and it's not freed when fill == NULL && flush == NULL. However, "in" and "fill" must never be NULL at the same time if the caller is following the decompress_fn API defined in include/linux/decompress/generic.h. So there is no leak. Some implementations of the API explicitly check for input == NULL && fill == NULL while some don't. E.g. decompress_unlz4.c checks it but in addition it seems to also reject the case where input != NULL && fill != NULL. Perhaps that combination isn't used anywhere but it is allowed by the API ("input" would be a temporary buffer for "fill"). I think the decompress_fn API is more complex than it looks at glance. -- Lasse Collin | IRC: Larhzu @ IRCnet & Freenode