Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1306803ybk;
        Sun, 10 May 2020 12:36:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy2WV9ghLZDmxvk7uFud7BTjA08sP2XSkojdz+0YCgMoVxyiVemiDExMAh5eCgqLk0b4eUB
X-Received: by 2002:a50:ed8f:: with SMTP id h15mr1642303edr.331.1589139412773;
        Sun, 10 May 2020 12:36:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589139412; cv=none;
        d=google.com; s=arc-20160816;
        b=P2MU6vIAyzzzoP6Fd+XlP360IrGdHFVB6E0px17Z9QEQBLig37kT+YIiGsiQWMxzXJ
         YlroJ/TTmFWDgvvPihvHz4NkGXAie9z9apYOkwgir0wjHZCPH9skEENwVWPmYnNCS5jp
         o0JqU/EO+XF6T8cbcp5pGu/i+2eJEq/CX8Ex3Ar6NkB77TqSkuhI4X2GKJRI9chPgAJe
         1nW1hoaKxhN3xFEc91uPxPGiNdN1jQTmpR9jNlMcFfXV2DCtKAqqoyuLklBJkhtm4clx
         vq2BK7HlRFLR/Rtd7WO7xiAKdkmgb0eRxY7ZnuNl18A/wbDR80nCtnh0VfKwMm+slnqZ
         0bLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date;
        bh=CdRaJguc0QnUtpUKJXEEN8ag3ZXcRm3i4ATW3uCzEqw=;
        b=xm+Bj4KqUFFZBnkDD53bRMwdUiGP2/0MC3MejzicHBQsEcWLrgBaKq7oa2C7zVppxK
         koTvuxCWfVSWSn7IM8W/bf83p0aQ0/smVZgHsMWU88bELLjJ1Pzi+9SEt26ViCQCINhI
         PFrG9/IMSuT+f/qp+eEOzncVPFErfRtTJ2iM6bIMaLhxAL2qOX1GG7lvhpdfqXuMl07z
         Ar77eSakgaahh2qTCJoSqMIbwQgW4QKvb3DJ6m+gGOgg4NEp2qyrEspPdHYwthxmDD+x
         Y8OaMHMYeb81Mdw4qI8QWJaEjaUBMQJKvSH1de5ijMaGoJgJ+TwHVfqlDY8oWdM/jtJn
         g0YA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s8si4418047eji.349.2020.05.10.12.35.51;
        Sun, 10 May 2020 12:36:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729246AbgEJTYY (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Sun, 10 May 2020 15:24:24 -0400
Received: from mailscanner01.zoner.fi ([84.34.166.10]:53974 "EHLO
        mailscanner01.zoner.fi" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729113AbgEJTYX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 May 2020 15:24:23 -0400
X-Greylist: delayed 545 seconds by postgrey-1.27 at vger.kernel.org; Sun, 10 May 2020 15:24:22 EDT
Received: from www25.zoner.fi (www25.zoner.fi [84.34.147.45])
        by mailscanner01.zoner.fi (Postfix) with ESMTPS id 4096440C20;
        Sun, 10 May 2020 22:15:05 +0300 (EEST)
Received: from mail.zoner.fi ([84.34.147.244])
        by www25.zoner.fi with esmtp (Exim 4.93.0.4)
        (envelope-from <lasse.collin@tukaani.org>)
        id 1jXrPv-0002j1-VD; Sun, 10 May 2020 22:15:15 +0300
Date:   Sun, 10 May 2020 22:15:07 +0300
From:   Lasse Collin <lasse.collin@tukaani.org>
To:     Randy Dunlap <rdunlap@infradead.org>,
        Dongyang Zhan <zdyzztq@gmail.com>
Cc:     linux-kernel@vger.kernel.org
Subject: Re: Possible memory leak in unxz()
Message-ID: <20200510221507.53c65961@tukaani.org>
In-Reply-To: <daf2f87a-155c-0836-cf82-0b409b860d6d@infradead.org>
References: <CAFSR4csKYu95qak02h_sAH6Rpa13PUtHUZ+7Z7Vd7tmBQCNaqg@mail.gmail.com>
        <daf2f87a-155c-0836-cf82-0b409b860d6d@infradead.org>
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> On 5/3/20 12:23 AM, Dongyang Zhan wrote:
> > I am a security researcher, my name is Dongyang Zhan. I found a
> > potential bug.

Thank you for looking for bugs!

On 2020-05-03 Randy Dunlap wrote:
> On 5/3/20 12:23 AM, Dongyang Zhan wrote:
> > /lib/decompress_unxz.c forgets to free the pointer 'in', when  the
> > statement if (fill == NULL && flush == NULL) is true.  
> 
> Adding xz contributor to email.
> 
> I think that you are correct. (I am looking at 5.7-rc4.)
> 
> However, I don't see any calls to __decompress() in the
> Linux kernel that pass a first argument of NULL, so while
> the code in unxz() could be fixed, we aren't currently leaking
> any memory AFAICT.

The supposedly leaked memory is allocated only when in == NULL, and
it's not freed when fill == NULL && flush == NULL. However, "in" and
"fill" must never be NULL at the same time if the caller is following
the decompress_fn API defined in include/linux/decompress/generic.h. So
there is no leak.

Some implementations of the API explicitly check for input == NULL &&
fill == NULL while some don't. E.g. decompress_unlz4.c checks it but in
addition it seems to also reject the case where input != NULL && fill
!= NULL. Perhaps that combination isn't used anywhere but it is allowed
by the API ("input" would be a temporary buffer for "fill"). I think
the decompress_fn API is more complex than it looks at glance.

-- 
Lasse Collin  |  IRC: Larhzu @ IRCnet & Freenode