lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun,  8 Oct 2017 19:11:19 +0200
From:   Ulf Magnusson <ulfalizer@...il.com>
To:     yann.morin.1998@...e.fr, linux-kbuild@...r.kernel.org
Cc:     sam@...nborg.org, zippel@...ux-m68k.org, nicolas.pitre@...aro.org,
        michal.lkml@...kovi.net, dirk@...ders.net,
        yamada.masahiro@...ionext.com, lacombar@...il.com,
        walch.martin@....de, JBeulich@...e.com,
        linux-kernel@...r.kernel.org, Ulf Magnusson <ulfalizer@...il.com>
Subject: [PATCH 2/6] kconfig: Don't leak 'source' filenames during parsing

The 'source_stmt' nonterminal takes a 'prompt', which consists of either
a T_WORD or a T_WORD_QUOTE, both of which are always allocated on the
heap in zconf.l and need to have their associated strings freed. Free
them.

The existing code already makes sure to always copy the string, but add
a warning to sym_expand_string_value() to make it clear that the string
must be copied, just in case.

Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix:

	LEAK SUMMARY:
	   definitely lost: 387,504 bytes in 15,545 blocks
	   ...

Summary after the fix:

	LEAK SUMMARY:
	   definitely lost: 344,616 bytes in 14,355 blocks
	   ...

Signed-off-by: Ulf Magnusson <ulfalizer@...il.com>
---
 scripts/kconfig/symbol.c | 5 +++++
 scripts/kconfig/zconf.y  | 1 +
 2 files changed, 6 insertions(+)

diff --git a/scripts/kconfig/symbol.c b/scripts/kconfig/symbol.c
index 20136ff..4fb0e43 100644
--- a/scripts/kconfig/symbol.c
+++ b/scripts/kconfig/symbol.c
@@ -907,6 +907,11 @@ const char *sym_expand_string_value(const char *in)
 	char *res;
 	size_t reslen;
 
+	/*
+	 * Note: 'in' might come from a token that's about to be
+	 * freed, so make sure to always allocate a new string
+	 */
+
 	reslen = strlen(in) + 1;
 	res = xmalloc(reslen);
 	res[0] = '\0';
diff --git a/scripts/kconfig/zconf.y b/scripts/kconfig/zconf.y
index f201241..a770117 100644
--- a/scripts/kconfig/zconf.y
+++ b/scripts/kconfig/zconf.y
@@ -393,6 +393,7 @@ source_stmt: T_SOURCE prompt T_EOL
 {
 	printd(DEBUG_PARSE, "%s:%d:source %s\n", zconf_curname(), zconf_lineno(), $2);
 	zconf_nextfile($2);
+	free($2);
 };
 
 /* comment entry */
-- 
2.7.4

Powered by blists - more mailing lists