[PATCH v2] libelf: {de,}compress: ensure zlib resource cleanup

Matthias Maennich maennich@google.com
Mon Apr 27 08:14:47 GMT 2020 

On Sat, Apr 25, 2020 at 01:28:33AM +0200, Mark Wielaard wrote:
>Hi,
>
>On Fri, Mar 20, 2020 at 12:17:55PM +0100, Matthias Maennich via Elfutils-devel wrote:
>> __libelf_decompress would only cleanup zlib resources via inflateEnd()
>> in case inflating was successful, but would leak memory if not. Fix this
>> by calling inflateEnd() unconditionally.
>>
>> __libelf_decompress did this all the time already, but called
>> deflateEnd() twice. That is not a (known) issue, but can be cleaned up
>> by ensuring all error paths use 'return deflate_cleanup' and the success
>> path calls deflateEnd() only once. Note, the deflate() needs to return
>> Z_STREAM_END to indicate we are done. Hence change the condition.
>>
>> Fixes: 272018bba1f2 ("libelf: Add elf_compress and elf_compress_gnu.")
>> Signed-off-by: Matthias Maennich <maennich@google.com>
>> ---
>>  libelf/elf_compress.c | 11 +++++------
>>  1 file changed, 5 insertions(+), 6 deletions(-)
>>
>> diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c
>> index 244467b5e3ae..b1b896890ff7 100644
>> --- a/libelf/elf_compress.c
>> +++ b/libelf/elf_compress.c
>> @@ -115,7 +115,7 @@ __libelf_compress (Elf_Scn *scn, size_t hsize, int ei_data,
>>      {
>>        free (out_buf);
>>        __libelf_seterrno (ELF_E_COMPRESS_ERROR);
>> -      return NULL;
>> +      return deflate_cleanup(NULL, NULL);
>>      }
>
>I was sure this was correct. But we both missed that deflate_cleanup
>is a macro that passes out_buf and frees it. So now it is freed
>twice... Oops.
>
>GCC10 (not released yet, but already in Fedora 32 beta) has a new
>-fanalyzer option which does catch this:
>
>elf_compress.c: In function ‘__libelf_compress’:
>elf_compress.c:50:3: error: double-‘free’ of ‘out_buf’ [CWE-415] [-Werror=analyzer-double-free]
>   50 |   free (out_buf);
>      |   ^~~~~~~~~~~~~~
>  ‘__libelf_compress’: events 1-10
>    |
>    |   50 |   free (out_buf);
>    |      |   ~~~~~~~~~~~~~~
>    |      |   |
>    |      |   (10) second ‘free’ here; first ‘free’ was at (9)
>    |......
>    |   79 |   if (data == NULL)
>    |      |      ^
>    |      |      |
>    |      |      (1) following ‘false’ branch (when ‘data’ is non-NULL)...
>    |......
>    |   86 |   Elf_Data *next_data = elf_getdata (scn, data);
>    |      |   ~~~~~~~~
>    |      |   |
>    |      |   (2) ...to here
>    |......
>    |   91 |   *orig_addralign = data->d_align;
>    |      |   ~
>    |      |   |
>    |      |   (3) allocated here
>    |......
>    |  100 |   if (out_buf == NULL)
>    |      |      ~
>    |      |      |
>    |      |      (4) assuming ‘out_buf’ is non-NULL
>    |      |      (5) following ‘false’ branch (when ‘out_buf’ is non-NULL)...
>    |......
>    |  107 |   size_t used = hsize;
>    |      |   ~~~~~~
>    |      |   |
>    |      |   (6) ...to here
>    |......
>    |  114 |   if (zrc != Z_OK)
>    |      |      ~
>    |      |      |
>    |      |      (7) following ‘true’ branch (when ‘zrc != 0’)...
>    |  115 |     {
>    |  116 |       free (out_buf);
>    |      |       ~~~~
>    |      |       |
>    |      |       (8) ...to here
>    |      |       (9) first ‘free’ here
>    |
>
>Fixed by removing the free (out_buf) on line 116 as attached.

Hi Mark!

Thanks for catching and fixing that!

>
>Cheers,
>
>Mark

>From 0b2fc95c46dabf85d053b2f0c6aab217b9c5a9b8 Mon Sep 17 00:00:00 2001
>From: Mark Wielaard <mark@klomp.org>
>Date: Sat, 25 Apr 2020 01:21:12 +0200
>Subject: [PATCH] libelf: Fix double free in __libelf_compress on error path.
>
>In commit 2092865a7e589ff805caa47e69ac9630f34d4f2a
>"libelf: {de,}compress: ensure zlib resource cleanup" we added a
>call to deflate_cleanup to make sure all resources were freed.
>As GCC10 -fanalyzer points out that could cause a double free
>of out_buf. Fix by removing the free (out_buf) in __libelf_compress.
>
>Signed-off-by: Mark Wielaard <mark@klomp.org>
>---
> libelf/ChangeLog      | 4 ++++
> libelf/elf_compress.c | 1 -
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
>diff --git a/libelf/ChangeLog b/libelf/ChangeLog
>index 8f79a625..56f5354c 100644
>--- a/libelf/ChangeLog
>+++ b/libelf/ChangeLog
>@@ -1,3 +1,7 @@
>+2020-04-25  Mark Wielaard  <mark@klomp.org>
>+
>+	* elf_compress.c (__libelf_compress): Remove free (out_buf).
>+
> 2020-03-18  Omar Sandoval  <osandov@fb.com>
> 
> 	* elf_getphdrnum.c (__elf_getphdrnum_rdlock): Call
>diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c
>index b1b89689..e5d3d2e0 100644
>--- a/libelf/elf_compress.c
>+++ b/libelf/elf_compress.c
>@@ -113,7 +113,6 @@ __libelf_compress (Elf_Scn *scn, size_t hsize, int ei_data,
>   int zrc = deflateInit (&z, Z_BEST_COMPRESSION);
>   if (zrc != Z_OK)
>     {
>-      free (out_buf);

Maybe add a comment to the deflate_cleanup macro call then?

Cheers,
Matthias

>       __libelf_seterrno (ELF_E_COMPRESS_ERROR);
>       return deflate_cleanup(NULL, NULL);
>     }
>-- 
>2.26.0
>

More information about the Elfutils-devel mailing list