lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 3 May 2020 15:23:37 +0800
From:   Dongyang Zhan <zdyzztq@...il.com>
To:     linux-kernel@...r.kernel.org
Subject: Possible memory leak in unxz()

Hi,

I am a security researcher, my name is Dongyang Zhan. I found a potential bug.

I hope you can help me to confirm it.

Thank you.

Possible memory leak in Linux 4.10.17. The function unxz() in
/lib/decompress_unxz.c forgets to free the pointer 'in', when  the
statement if (fill == NULL && flush == NULL) is true.

Source code and comments:

if (in == NULL) {
must_free_in = true;
in = malloc(XZ_IOBUF_SIZE);
if (in == NULL)
goto error_alloc_in;
}

b.in = in;
b.in_pos = 0;
b.in_size = in_size;
b.out_pos = 0;

if (fill == NULL && flush == NULL) {
ret = xz_dec_run(s, &b); // When this statement is true, it will jumps
to the switch statement. But the allocated 'in' is not freed before
return.
} else {
.....
}
.....
switch (ret) {
case XZ_STREAM_END:
return 0;

case XZ_MEM_ERROR:
/* This can occur only in multi-call mode. */
error("XZ decompressor ran out of memory");
break;

case XZ_FORMAT_ERROR:
error("Input is not in the XZ format (wrong magic bytes)");
break;

case XZ_OPTIONS_ERROR:
error("Input was encoded with settings that are not "
"supported by this XZ decoder");
break;

case XZ_DATA_ERROR:
case XZ_BUF_ERROR:
error("XZ-compressed data is corrupt");
break;

default:
error("Bug in the XZ decompressor");
break;
}

return -1;
....

Powered by blists - more mailing lists