Bug 24058

Summary: objdump memory leaks in readelf.c
Product: binutils Reporter: zerokeeper <0x0keeper>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: nickc
Priority: P2    
Version: 2.31   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: binutil-objdump-memory-leaks-readelf

Description zerokeeper 2019-01-03 17:55:32 UTC
Created attachment 11509 [details]

hi,binutils team.i found there is memory leaks in readelf.c, when used objdump. 
here is AddressSanitizer info.

./objdump   -W poc

==21635==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 54 byte(s) in 2 object(s) allocated from:
    #0 0x4b91a8 in __interceptor_malloc (/root/fuzz/binutils-2.31/binutils/readelf+0x4b91a8)
    #1 0x4eb374 in get_data /root/fuzz/binutils-2.31/binutils/readelf.c:425:9
    #2 0x5548f0 in get_section_contents /root/fuzz/binutils-2.31/binutils/readelf.c:13243:20
    #3 0x5548f0 in process_notes_at /root/fuzz/binutils-2.31/binutils/readelf.c:18179
    #4 0x5126a9 in process_note_sections /root/fuzz/binutils-2.31/binutils/readelf.c:18456:10
    #5 0x5126a9 in process_notes /root/fuzz/binutils-2.31/binutils/readelf.c:18492
    #6 0x5126a9 in process_object /root/fuzz/binutils-2.31/binutils/readelf.c:18850
    #7 0x4ee043 in process_file /root/fuzz/binutils-2.31/binutils/readelf.c:19259:13
    #8 0x4ee043 in main /root/fuzz/binutils-2.31/binutils/readelf.c:19318
    #9 0x7fb198cba82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: 54 byte(s) leaked in 2 allocation(s).

code in binutils-2.31/binutils/readelf.c:425:9

 mvar = var;
  if (mvar == NULL)
      /* Check for overflow.  */
      if (nmemb < (~(bfd_size_type) 0 - 1) / size)
	/* + 1 so that we can '\0' terminate invalid string table sections.  */
	mvar = malloc ((size_t) amt + 1);

      if (mvar == NULL)
	  if (reason)
	    error (_("Out of memory allocating %s bytes for %s\n"),
		   bfd_vmatoa ("u", amt), reason);
	  return NULL;

      ((char *) mvar)[amt] = '\0';
Comment 1 Nick Clifton 2019-01-14 17:14:08 UTC
Hi zerokeeper,

  Thanks for reporting this problem.  Unfortunately this leak is too small
  and be worth tracing and fixing.  Since the objdump program always
  terminates the memory will be reclaimed by the system, so there is no
  real incentive to fix the leak.