From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441]) by sourceware.org (Postfix) with ESMTPS id 0907D384B0C0 for ; Mon, 27 Apr 2020 08:14:50 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0907D384B0C0 Received: by mail-wr1-x441.google.com with SMTP id t14so19357499wrw.12 for ; Mon, 27 Apr 2020 01:14:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=003zKqeHo//o/Vrf1bHhcrQzSiST/O0rbs2l38bwbhw=; b=kHL69Sdcc0bKpTSCNm4q5l56Macytoz0krjxTmsBFqa0MxZUVaqhql0pNcQzzq/m9J geJGhVOBCjji2zFPc3JWEHBK5Bnx+N4eOeXnDuf79dbRRTXW9MRqVR91vOD2WH4PtK81 qlFln9eW0xX4lQuRwNGWm/H24MBfJ0w00gRvsu/Qc0z0TyOJqL4+51fuFW+jRNYpWCus GYxkFy4YeaiWfEnf+dytw5SA06HMK2fCJl+Z0boqZW0XVpQdI5TdTLzoy1iwwcLY606G CHNOVc/vxCqtF0TxGaP2sCzjZ0Hl+hPsCwAYaooeWNiubMTi86ANmoPT/wXHZWWbiQbw 2M+w== X-Gm-Message-State: AGi0PuZ89Q7JwfbuJXOhfne+b0RdNhNecl+bY/PS0RHgNRyZ9yVYVIZ0 WOvKEz2tKv8cok7XepUNxVE8f+SA+zrkIA== X-Google-Smtp-Source: APiQypK91bKjKf81tTQZBoyd/4sATocMk323pEFJM1nO5r5a3CicCOXKvwPVavY2bI5j2+7KdIKwDQ== X-Received: by 2002:a5d:654f:: with SMTP id z15mr27035167wrv.338.1587975288683; Mon, 27 Apr 2020 01:14:48 -0700 (PDT) Received: from google.com ([2a00:79e0:d:210:e8f7:125b:61e9:733d]) by smtp.gmail.com with ESMTPSA id e21sm21021389wrc.1.2020.04.27.01.14.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2020 01:14:48 -0700 (PDT) Date: Mon, 27 Apr 2020 10:14:47 +0200 From: Matthias Maennich To: Mark Wielaard Cc: elfutils-devel@sourceware.org, kernel-team@android.com Subject: Re: [PATCH v2] libelf: {de,}compress: ensure zlib resource cleanup Message-ID: <20200427081447.GB178393@google.com> References: <20200315220329.82201-1-maennich@google.com> <20200320111755.67258-1-maennich@google.com> <20200424232833.GA18361@wildebeest.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200424232833.GA18361@wildebeest.org> X-Spam-Status: No, score=-41.2 required=5.0 tests=BAYES_00, DKIMWL_WL_MED, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2020 08:14:52 -0000 On Sat, Apr 25, 2020 at 01:28:33AM +0200, Mark Wielaard wrote: >Hi, > >On Fri, Mar 20, 2020 at 12:17:55PM +0100, Matthias Maennich via Elfutils-devel wrote: >> __libelf_decompress would only cleanup zlib resources via inflateEnd() >> in case inflating was successful, but would leak memory if not. Fix this >> by calling inflateEnd() unconditionally. >> >> __libelf_decompress did this all the time already, but called >> deflateEnd() twice. That is not a (known) issue, but can be cleaned up >> by ensuring all error paths use 'return deflate_cleanup' and the success >> path calls deflateEnd() only once. Note, the deflate() needs to return >> Z_STREAM_END to indicate we are done. Hence change the condition. >> >> Fixes: 272018bba1f2 ("libelf: Add elf_compress and elf_compress_gnu.") >> Signed-off-by: Matthias Maennich >> --- >> libelf/elf_compress.c | 11 +++++------ >> 1 file changed, 5 insertions(+), 6 deletions(-) >> >> diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c >> index 244467b5e3ae..b1b896890ff7 100644 >> --- a/libelf/elf_compress.c >> +++ b/libelf/elf_compress.c >> @@ -115,7 +115,7 @@ __libelf_compress (Elf_Scn *scn, size_t hsize, int ei_data, >> { >> free (out_buf); >> __libelf_seterrno (ELF_E_COMPRESS_ERROR); >> - return NULL; >> + return deflate_cleanup(NULL, NULL); >> } > >I was sure this was correct. But we both missed that deflate_cleanup >is a macro that passes out_buf and frees it. So now it is freed >twice... Oops. > >GCC10 (not released yet, but already in Fedora 32 beta) has a new >-fanalyzer option which does catch this: > >elf_compress.c: In function ‘__libelf_compress’: >elf_compress.c:50:3: error: double-‘free’ of ‘out_buf’ [CWE-415] [-Werror=analyzer-double-free] > 50 | free (out_buf); > | ^~~~~~~~~~~~~~ > ‘__libelf_compress’: events 1-10 > | > | 50 | free (out_buf); > | | ~~~~~~~~~~~~~~ > | | | > | | (10) second ‘free’ here; first ‘free’ was at (9) > |...... > | 79 | if (data == NULL) > | | ^ > | | | > | | (1) following ‘false’ branch (when ‘data’ is non-NULL)... > |...... > | 86 | Elf_Data *next_data = elf_getdata (scn, data); > | | ~~~~~~~~ > | | | > | | (2) ...to here > |...... > | 91 | *orig_addralign = data->d_align; > | | ~ > | | | > | | (3) allocated here > |...... > | 100 | if (out_buf == NULL) > | | ~ > | | | > | | (4) assuming ‘out_buf’ is non-NULL > | | (5) following ‘false’ branch (when ‘out_buf’ is non-NULL)... > |...... > | 107 | size_t used = hsize; > | | ~~~~~~ > | | | > | | (6) ...to here > |...... > | 114 | if (zrc != Z_OK) > | | ~ > | | | > | | (7) following ‘true’ branch (when ‘zrc != 0’)... > | 115 | { > | 116 | free (out_buf); > | | ~~~~ > | | | > | | (8) ...to here > | | (9) first ‘free’ here > | > >Fixed by removing the free (out_buf) on line 116 as attached. Hi Mark! Thanks for catching and fixing that! > >Cheers, > >Mark >From 0b2fc95c46dabf85d053b2f0c6aab217b9c5a9b8 Mon Sep 17 00:00:00 2001 >From: Mark Wielaard >Date: Sat, 25 Apr 2020 01:21:12 +0200 >Subject: [PATCH] libelf: Fix double free in __libelf_compress on error path. > >In commit 2092865a7e589ff805caa47e69ac9630f34d4f2a >"libelf: {de,}compress: ensure zlib resource cleanup" we added a >call to deflate_cleanup to make sure all resources were freed. >As GCC10 -fanalyzer points out that could cause a double free >of out_buf. Fix by removing the free (out_buf) in __libelf_compress. > >Signed-off-by: Mark Wielaard >--- > libelf/ChangeLog | 4 ++++ > libelf/elf_compress.c | 1 - > 2 files changed, 4 insertions(+), 1 deletion(-) > >diff --git a/libelf/ChangeLog b/libelf/ChangeLog >index 8f79a625..56f5354c 100644 >--- a/libelf/ChangeLog >+++ b/libelf/ChangeLog >@@ -1,3 +1,7 @@ >+2020-04-25 Mark Wielaard >+ >+ * elf_compress.c (__libelf_compress): Remove free (out_buf). >+ > 2020-03-18 Omar Sandoval > > * elf_getphdrnum.c (__elf_getphdrnum_rdlock): Call >diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c >index b1b89689..e5d3d2e0 100644 >--- a/libelf/elf_compress.c >+++ b/libelf/elf_compress.c >@@ -113,7 +113,6 @@ __libelf_compress (Elf_Scn *scn, size_t hsize, int ei_data, > int zrc = deflateInit (&z, Z_BEST_COMPRESSION); > if (zrc != Z_OK) > { >- free (out_buf); Maybe add a comment to the deflate_cleanup macro call then? Cheers, Matthias > __libelf_seterrno (ELF_E_COMPRESS_ERROR); > return deflate_cleanup(NULL, NULL); > } >-- >2.26.0 >