From be21bc4922652e4866400116ea83d5fb849bb934 Mon Sep 17 00:00:00 2001 From: Wenhua Huang Date: Mon, 29 Jul 2024 11:24:36 +0800 Subject: [PATCH] Fix a memory leak in glob_for_cachedir() (cherry picked from commit 14bd7261d0d13031f8390952baf9740714d93ea4) --- ...x-a-memory-leak-in-glob_for_cachedir.patch | 53 +++++++++++++++++++ libdnf.spec | 6 ++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-a-memory-leak-in-glob_for_cachedir.patch diff --git a/backport-Fix-a-memory-leak-in-glob_for_cachedir.patch b/backport-Fix-a-memory-leak-in-glob_for_cachedir.patch new file mode 100644 index 0000000..4366f8e --- /dev/null +++ b/backport-Fix-a-memory-leak-in-glob_for_cachedir.patch @@ -0,0 +1,53 @@ +From b245193e881912cf730b53ece74c410ef573e292 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Wed, 17 Jul 2024 09:30:59 +0200 +Subject: [PATCH 1/1] Fix a memory leak in glob_for_cachedir() + +Covscan complains: + + Error: RESOURCE_LEAK (CWE-772): [#def1] [important] + libdnf-0.73.1/libdnf/hy-iutil.cpp:100:5: alloc_arg: "wordexp" allocates memory that is stored into "word_vector.we_wordv". + libdnf-0.73.1/libdnf/hy-iutil.cpp:102:9: leaked_storage: Variable "word_vector" going out of scope leaks the storage "word_vector.we_wordv" points to. + # 100| if (wordexp(p, &word_vector, 0)) { + # 101| g_free(p); + # 102|-> return ret; + # 103| } + # 104| for (guint i = 0; i < word_vector.we_wordc; ++i) { + +The issue is that Covscan model thinks that word_vector should be +freed after failing wordexp(). glibc's manual does not explain whether +it is or isn't necessary. However, POSIX manual mentions that the +memory is valid on WRDE_NOSPACE (not enough memory) error. Reading +glibc sources confirms that wordexp() on any error except of +WRDE_NOSPACE cleans up and returns original, intact word_vector. + +Therefore I recognize the missing wordfree() call as an error and +this patch fixed it. +--- + libdnf/hy-iutil.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libdnf/hy-iutil.cpp b/libdnf/hy-iutil.cpp +index 43314c60..4848c9f7 100644 +--- a/libdnf/hy-iutil.cpp ++++ b/libdnf/hy-iutil.cpp +@@ -89,7 +89,7 @@ glob_for_cachedir(char *path) + if (!g_str_has_suffix(path, "XXXXXX")) + return ret; + +- wordexp_t word_vector; ++ wordexp_t word_vector = {0}; + char *p = g_strdup(path); + const int len = strlen(p); + struct stat s; +@@ -98,6 +98,7 @@ glob_for_cachedir(char *path) + p[len-6] = '*'; + p[len-5] = '\0'; + if (wordexp(p, &word_vector, 0)) { ++ wordfree(&word_vector); + g_free(p); + return ret; + } +-- +2.25.1 + diff --git a/libdnf.spec b/libdnf.spec index ae98152..c7b4040 100644 --- a/libdnf.spec +++ b/libdnf.spec @@ -18,7 +18,7 @@ Name: libdnf Version: 0.70.2 -Release: 5 +Release: 6 Summary: Library providing simplified C and Python API to libsolv License: LGPL-2.1-or-later URL: https://github.com/rpm-software-management/libdnf @@ -53,6 +53,7 @@ Patch6007: backport-MergedTransaction-Calculate-RPM-difference-b Patch6008: backport-MergedTransaction-Fix-invalid-memory-access-when-dropping.patch Patch6009: backport-Fix-countme-bucket-calculation.patch Patch6010: backport-Fix-up-some-comments-in-addCountmeFlag.patch +Patch6011: backport-Fix-a-memory-leak-in-glob_for_cachedir.patch %description A Library providing simplified C and Python API to libsolv. @@ -132,6 +133,9 @@ popd %{python3_sitearch}/hawkey/ %changelog +* Mon Jul 29 2024 Wenhua Huang - 0.70.2-6 +- Fix a memory leak in glob_for_cachedir() + * Tue Jul 23 2024 LuWu <2398491106@qq.com> - 0.70.2-5 - Fix countme bucket calculation -- Gitee