PR31145, potential memory leak in binutils/ld

PR31145, potential memory leak in binutils/ld

[Alan Modra]

	PR 31145
	* bfd.c (BFD_IN_MEMORY): Mention that bim is malloc'd.
	* format.c (io_reinit): Free BFD_IN_MEMORY iostream.
	* opncls.c (_bfd_delete_bfd): Likewise.
	(bfd_make_readable): Delete unnecessary code.
	* bfd-in2.h: Regenerate.

diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
index 040d5560cdf..2807e694b8f 100644
--- a/bfd/bfd-in2.h
+++ b/bfd/bfd-in2.h
@@ -2035,8 +2035,8 @@ struct bfd
 #define BFD_TRADITIONAL_FORMAT    0x400
 
   /* This flag indicates that the BFD contents are actually cached
-     in memory.  If this is set, iostream points to a bfd_in_memory
-     struct.  */
+     in memory.  If this is set, iostream points to a malloc'd
+     bfd_in_memory struct.  */
 #define BFD_IN_MEMORY             0x800
 
   /* This BFD has been created by the linker and doesn't correspond
diff --git a/bfd/bfd.c b/bfd/bfd.c
index 616ded3f4be..a5df4ef0311 100644
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -160,8 +160,8 @@ CODE_FRAGMENT
 .#define BFD_TRADITIONAL_FORMAT    0x400
 .
 .  {* This flag indicates that the BFD contents are actually cached
-.     in memory.  If this is set, iostream points to a bfd_in_memory
-.     struct.  *}
+.     in memory.  If this is set, iostream points to a malloc'd
+.     bfd_in_memory struct.  *}
 .#define BFD_IN_MEMORY             0x800
 .
 .  {* This BFD has been created by the linker and doesn't correspond
diff --git a/bfd/format.c b/bfd/format.c
index 66dc2e7e51e..31aeb52861a 100644
--- a/bfd/format.c
+++ b/bfd/format.c
@@ -166,7 +166,14 @@ io_reinit (bfd *abfd, struct bfd_preserve *preserve)
 	 won't do anything unless abfd->iovec is the cache_iovec.  */
       bfd_cache_close (abfd);
       abfd->iovec = preserve->iovec;
-      abfd->iostream = preserve->iostream;
+
+      if (abfd->iostream != preserve->iostream)
+	{
+	  if ((abfd->flags & BFD_IN_MEMORY) != 0)
+	    free (abfd->iostream);
+	  abfd->iostream = preserve->iostream;
+	}
+
       /* Handle in-memory to file backed transition.  */
       if ((abfd->flags & BFD_CLOSED_BY_CACHE) != 0
 	  && (abfd->flags & BFD_IN_MEMORY) != 0
diff --git a/bfd/opncls.c b/bfd/opncls.c
index 5a77562744c..e7b39593608 100644
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -176,6 +176,8 @@ _bfd_delete_bfd (bfd *abfd)
   else
     free ((char *) bfd_get_filename (abfd));
 
+  if ((abfd->flags & BFD_IN_MEMORY) != 0)
+    free (abfd->iostream);
   free (abfd->arelt_data);
   free (abfd);
 }
@@ -1064,7 +1066,6 @@ bfd_make_readable (bfd *abfd)
   abfd->section_count = 0;
   abfd->usrdata = NULL;
   abfd->cacheable = false;
-  abfd->flags |= BFD_IN_MEMORY;
   abfd->mtime_set = false;
 
   abfd->target_defaulted = true;

-- 
Alan Modra
Australia Development Lab, IBM

Re: PR31145, potential memory leak in binutils/ld

[Torbjorn SVENSSON]

Hi Alan,

On 2023-12-15 04:15, Alan Modra wrote:
> 	PR 31145
> 	* bfd.c (BFD_IN_MEMORY): Mention that bim is malloc'd.
> 	* format.c (io_reinit): Free BFD_IN_MEMORY iostream.
> 	* opncls.c (_bfd_delete_bfd): Likewise.
> 	(bfd_make_readable): Delete unnecessary code.
> 	* bfd-in2.h: Regenerate.
> 
> diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
> index 040d5560cdf..2807e694b8f 100644
> --- a/bfd/bfd-in2.h
> +++ b/bfd/bfd-in2.h
> @@ -2035,8 +2035,8 @@ struct bfd
>   #define BFD_TRADITIONAL_FORMAT    0x400
>   
>     /* This flag indicates that the BFD contents are actually cached
> -     in memory.  If this is set, iostream points to a bfd_in_memory
> -     struct.  */
> +     in memory.  If this is set, iostream points to a malloc'd
> +     bfd_in_memory struct.  */
>   #define BFD_IN_MEMORY             0x800
>   
>     /* This BFD has been created by the linker and doesn't correspond
> diff --git a/bfd/bfd.c b/bfd/bfd.c
> index 616ded3f4be..a5df4ef0311 100644
> --- a/bfd/bfd.c
> +++ b/bfd/bfd.c
> @@ -160,8 +160,8 @@ CODE_FRAGMENT
>   .#define BFD_TRADITIONAL_FORMAT    0x400
>   .
>   .  {* This flag indicates that the BFD contents are actually cached
> -.     in memory.  If this is set, iostream points to a bfd_in_memory
> -.     struct.  *}
> +.     in memory.  If this is set, iostream points to a malloc'd
> +.     bfd_in_memory struct.  *}
>   .#define BFD_IN_MEMORY             0x800
>   .
>   .  {* This BFD has been created by the linker and doesn't correspond
> diff --git a/bfd/format.c b/bfd/format.c
> index 66dc2e7e51e..31aeb52861a 100644
> --- a/bfd/format.c
> +++ b/bfd/format.c
> @@ -166,7 +166,14 @@ io_reinit (bfd *abfd, struct bfd_preserve *preserve)
>   	 won't do anything unless abfd->iovec is the cache_iovec.  */
>         bfd_cache_close (abfd);
>         abfd->iovec = preserve->iovec;
> -      abfd->iostream = preserve->iostream;
> +
> +      if (abfd->iostream != preserve->iostream)
> +	{
> +	  if ((abfd->flags & BFD_IN_MEMORY) != 0)
> +	    free (abfd->iostream);
> +	  abfd->iostream = preserve->iostream;

Should you also copy the flags from "preserve" to "abfd" before you call 
bfd_open_file?

Kind regards,
Torbjörn

Re: PR31145, potential memory leak in binutils/ld

[Alan Modra]

On Fri, Dec 15, 2023 at 10:04:52AM +0100, Torbjorn SVENSSON wrote:
> Hi Alan,
> 
> On 2023-12-15 04:15, Alan Modra wrote:
> > diff --git a/bfd/format.c b/bfd/format.c
> > index 66dc2e7e51e..31aeb52861a 100644
> > --- a/bfd/format.c
> > +++ b/bfd/format.c
> > @@ -166,7 +166,14 @@ io_reinit (bfd *abfd, struct bfd_preserve *preserve)
> >   	 won't do anything unless abfd->iovec is the cache_iovec.  */
> >         bfd_cache_close (abfd);
> >         abfd->iovec = preserve->iovec;
> > -      abfd->iostream = preserve->iostream;
> > +
> > +      if (abfd->iostream != preserve->iostream)
> > +	{
> > +	  if ((abfd->flags & BFD_IN_MEMORY) != 0)
> > +	    free (abfd->iostream);
> > +	  abfd->iostream = preserve->iostream;
> 
> Should you also copy the flags from "preserve" to "abfd" before you call
> bfd_open_file?

I don't see it is necessary, either before or after the above change.

-- 
Alan Modra
Australia Development Lab, IBM

Re: PR31145, potential memory leak in binutils/ld

[Alan Modra]

Revert most of this patch, it isn't correct to free the BFD_IN_MEMORY
iostream in io_reinit.

	PR 31145
	* format.c (io_reinit): Revert last change.  Comment.
	* opncls.c (_bfd_delete_bfd): Likewise.

diff --git a/bfd/format.c b/bfd/format.c
index 31aeb52861a..0790a3a2ee5 100644
--- a/bfd/format.c
+++ b/bfd/format.c
@@ -163,16 +163,15 @@ io_reinit (bfd *abfd, struct bfd_preserve *preserve)
   if (abfd->iovec != preserve->iovec)
     {
       /* Handle file backed to in-memory transition.  bfd_cache_close
-	 won't do anything unless abfd->iovec is the cache_iovec.  */
+	 won't do anything unless abfd->iovec is the cache_iovec.
+	 Don't be tempted to call iovec->bclose here.  We don't want
+	 to call memory_bclose, which would free the bim.  The bim
+	 must be kept if bfd_check_format_matches is going to decide
+	 later that the PE format needing it is in fact the correct
+	 target match.  */
       bfd_cache_close (abfd);
       abfd->iovec = preserve->iovec;
-
-      if (abfd->iostream != preserve->iostream)
-	{
-	  if ((abfd->flags & BFD_IN_MEMORY) != 0)
-	    free (abfd->iostream);
-	  abfd->iostream = preserve->iostream;
-	}
+      abfd->iostream = preserve->iostream;
 
       /* Handle in-memory to file backed transition.  */
       if ((abfd->flags & BFD_CLOSED_BY_CACHE) != 0
diff --git a/bfd/opncls.c b/bfd/opncls.c
index e7b39593608..32c95d6ba52 100644
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -176,8 +176,6 @@ _bfd_delete_bfd (bfd *abfd)
   else
     free ((char *) bfd_get_filename (abfd));
 
-  if ((abfd->flags & BFD_IN_MEMORY) != 0)
-    free (abfd->iostream);
   free (abfd->arelt_data);
   free (abfd);
 }

-- 
Alan Modra
Australia Development Lab, IBM