[PATCH 1/1] libebgenv: fix memory leak in partition probing

11 views
Skip to first unread message

Felix Moessbauer

unread,
Oct 15, 2023, 10:46:56 PM10/15/23
to efibootg...@googlegroups.com, jan.k...@siemens.com, michae...@siemens.com, Felix Moessbauer
When probing partitions, the mountpoint string is allocated on the heap.
This needs to be freed as well in case of errors during probing.

Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
env/env_config_partitions.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/env/env_config_partitions.c b/env/env_config_partitions.c
index be52d7f..d50545e 100644
--- a/env/env_config_partitions.c
+++ b/env/env_config_partitions.c
@@ -65,6 +65,7 @@ bool probe_config_partitions(CONFIG_PART *cfgpart)
cfgpart[count] = tmp;
} else {
free(tmp.devpath);
+ free(tmp.mountpoint);
VERBOSE(stderr,
"Error, there are "
"more than %d config "
@@ -75,6 +76,7 @@ bool probe_config_partitions(CONFIG_PART *cfgpart)
count++;
} else {
free(tmp.devpath);
+ free(tmp.mountpoint);
}
part = ped_disk_next_partition(pd, part);
}
--
2.39.2

Michael Adler

unread,
Oct 16, 2023, 1:57:32 AM10/16/23
to Felix Moessbauer, efibootg...@googlegroups.com, jan.k...@siemens.com
Hi Felix,

although this will certainly free the memory I feel like it's the wrong place:
the fact that the partition has to be mounted is actually an implementation detail
(and not a pretty one). The function `probe_config_file` in `env_config_file.c` is
responsible for mounting and it does have some (obviously incomplete) logic to free the
mountpoint. Could you add the missing `free` there?

Kind Regards,
Michael

--
Michael Adler

Siemens AG
Technology
Connectivity & Edge
Smart Embedded Systems
T CED SES-DE
Otto-Hahn-Ring 6
81739 Munich, Germany

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann
Snabe; Managing Board: Roland Busch, Chairman, President and Chief Executive
Officer; Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese;
Registered offices: Berlin and Munich, Germany; Commercial registries:
Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

Jan Kiszka

unread,
Oct 16, 2023, 2:03:51 AM10/16/23
to Felix Moessbauer, efibootg...@googlegroups.com, michae...@siemens.com
This is wrong, giving us a double-free. That memory is both allocated
and also released again in probe_config_file (unmount_partition).

Jan

--
Siemens AG, Technology
Linux Expert Center

MOESSBAUER, Felix

unread,
Oct 16, 2023, 2:20:43 AM10/16/23
to Kiszka, Jan, efibootg...@googlegroups.com, Adler, Michael

I'm almost certainly sure that the first free is correct. The second
indeed might lead to a double free. This could better be solved by just
nulling the pointer, or even better providing a destructor for the
struct that internally handles this correctly.

We definitely have a memory leak here, as reported by the asan.

Felix

>
> Jan
>

Jan Kiszka

unread,
Oct 16, 2023, 2:38:26 AM10/16/23
to MOESSBAUER, Felix (T CED INW-CN), efibootg...@googlegroups.com, Adler, Michael (T CED SES-DE)
...or by reading the code. It's symmetric and logical in this case. And
it is nulling the pointer in unmount_partition.

>
> We definitely have a memory leak here, as reported by the asan.

Then fix the tool - or it's interpretation: Show me how you can leave
probe_config_file with cfgpart->mountpoint non-null if it wasn't
non-null before.

Felix Moessbauer

unread,
Oct 17, 2023, 6:34:44 AM10/17/23
to efibootg...@googlegroups.com, jan.k...@siemens.com, michae...@siemens.com, Felix Moessbauer
When probing partitions, the mountpoint string is allocated on the heap.
Normally the mountpoint is freed during unmounting. But for partitions
that are already mounted, we also need to free the mountpoint str.

Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
Changes since v1:

- fix leak at correct location

env/env_config_file.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/env/env_config_file.c b/env/env_config_file.c
index e270fbb..adb7a06 100644
--- a/env/env_config_file.c
+++ b/env/env_config_file.c
@@ -98,6 +98,8 @@ bool probe_config_file(CONFIG_PART *cfgpart)
}
if (do_unmount) {
unmount_partition(cfgpart);
+ } else {
+ free(cfgpart->mountpoint);
}
return result;
}
--
2.39.2

Jan Kiszka

unread,
Oct 17, 2023, 9:00:08 AM10/17/23
to Felix Moessbauer, efibootg...@googlegroups.com, michae...@siemens.com
Thanks, applied.

Jan Kiszka

unread,
Oct 17, 2023, 12:48:06 PM10/17/23
to Felix Moessbauer, efibootg...@googlegroups.com, michae...@siemens.com
Still broken, test fails, we are missing cfgpart->mountpoint = NULL.
I've fixed this up...

JEMS EBERHARD HORBEL

unread,
Dec 9, 2023, 2:00:31 PM12/9/23
to EFI Boot Guard
DIRECT SENDER IS HERE LETS DEAL.

JENS EBERHARD



MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING 
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
SLBC PROVIDER
CREDIT CARD TOP UP
SEPA TRANSFER
WIRE TRANSFER
GLOBALPAY INC US

Thanks.


NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.

DM ME ON WHATSAPP FOR A SERIOUS DEAL.

+447405129573
Reply all
Reply to author
Forward
0 new messages