lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20260118065643.924837-1-geoffreyhe2@gmail.com>
Date: Sun, 18 Jan 2026 06:56:43 +0000
From: Weigang He <geoffreyhe2@...il.com>
To: Josh Poimboeuf <jpoimboe@...nel.org>,
	Peter Zijlstra <peterz@...radead.org>
Cc: linux-kernel@...r.kernel.org,
	Weigang He <geoffreyhe2@...il.com>
Subject: [PATCH] objtool: Fix memory leak in elf_alloc_reloc() on realloc failure

When realloc() fails in elf_alloc_reloc(), the original buffer pointer
is overwritten with NULL before the failure is detected. This causes
the original buffer to become unreachable, resulting in a memory leak.

Fix this by using a temporary variable to hold the realloc() result.
If realloc() fails, free the original buffer and set d_buf to NULL to
maintain the expected error state before returning -1.

This bug is found by my static analysis tool and my code review.

Signed-off-by: Weigang He <geoffreyhe2@...il.com>
---
 tools/objtool/elf.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
index 6a8ed9c62323e..e47c5c4f25314 100644
--- a/tools/objtool/elf.c
+++ b/tools/objtool/elf.c
@@ -1521,12 +1521,15 @@ static int elf_alloc_reloc(struct elf *elf, struct section *rsec)
 		memcpy(rsec->data->d_buf, orig_buf,
 		       nr_relocs_old * elf_rela_size(elf));
 	} else {
-		rsec->data->d_buf = realloc(rsec->data->d_buf,
-					    nr_alloc * elf_rela_size(elf));
-		if (!rsec->data->d_buf) {
+		void *new_d_buf = realloc(rsec->data->d_buf,
+					  nr_alloc * elf_rela_size(elf));
+		if (!new_d_buf) {
 			ERROR_GLIBC("realloc");
+			free(rsec->data->d_buf);
+			rsec->data->d_buf = NULL;
 			return -1;
 		}
+		rsec->data->d_buf = new_d_buf;
 	}
 
 	rsec->nr_alloc_relocs = nr_alloc;
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ