31146 – potential Memory Leak

Bug 31146 - potential Memory Leak

Summary: potential Memory Leak

Status:	RESOLVED NOTABUG

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.32

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-12-12 09:08 UTC by 时宇羽然
Modified:	2023-12-13 13:24 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Memory Leak in elfxx-x86.c (270.23 KB, image/png) 2023-12-12 09:08 UTC, 时宇羽然	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 时宇羽然 2023-12-12 09:08:06 UTC

Created attachment 15255 [details]
Memory Leak in elfxx-x86.c

Hi, I found a memory leak bug in the source code of binutils, and I have shown 
the execution sequence below. This bug exists in the file /bfd/elfxx-x86.c. The red text illustrates the steps that generate the bug.
As shown in the diagram, in the function _bfd_x86_elf_link_hash_table_create, a block of memory is allocated for the variable ret->loc_hash_memory. However, if ret->loc_hash_table fails to be created, it will result in returning NULL, potentially causing a memory leak vulnerability.
Although reported bug trace is for version 2.32 but i've check this bug still existing in latest version.

can you help to check if this bug is true? thanks for your effort.

Comment 1 Nick Clifton 2023-12-13 13:24:18 UTC

(In reply to 时宇羽然 from comment #0)

> Hi, I found a memory leak bug in the source code of binutils, and I have
> shown 
> the execution sequence below. This bug exists in the file /bfd/elfxx-x86.c.
> The red text illustrates the steps that generate the bug.
> As shown in the diagram, in the function
> _bfd_x86_elf_link_hash_table_create, a block of memory is allocated for the
> variable ret->loc_hash_memory. However, if ret->loc_hash_table fails to be
> created, it will result in returning NULL, potentially causing a memory leak
> vulnerability.

Thank you for reporting this problem.  As it turns out however there
is no leak.  If ret->loc_hash_table is NULL and/or ret->loc_hash_memory
is NULL then the code calls the elf_x86_link_hash_table_free() function
which tests and frees both fields.  Hence no leak.

One thing that might not be obvious however is how the 
elf_x86_link_hash_table_free() function obtains the correct pointers to 
examine, since it is passed the "abfd" pointer and not the "ret" pointer.
The answer to this is the call to _bfd_elf_link_hash_table_init() earlier
on in the function, which is passed the address of the first field in "ret"
(ie "&ret->elf") and this is then passed on to _bfd_link_hash_table_init()
which then stores the value in the link.hash field of the bfd.

I hope that this makes sense.