Bug 243106
| Summary: | jail(3): memory leak when resizing jail parameter list. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Hans Christian Woithe <chwoithe> | ||||
| Component: | bin | Assignee: | Mark Johnston <markj> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Some People | CC: | markj | ||||
| Priority: | --- | Keywords: | patch | ||||
| Version: | 12.1-RELEASE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Assign appropriately. fwiw, the [patch] convention has been replaced by the use of the 'patch' Keyword. A commit references this bug: Author: markj Date: Tue Jan 7 21:44:27 UTC 2020 New revision: 356476 URL: https://svnweb.freebsd.org/changeset/base/356476 Log: libjail: Handle an error from reallocarray() when trimming the buffer. There is no API guarantee that realloc() will not fail when the buffer is shrinking. Handle it by simply returning the untrimmed buffer. While this is unlikely to ever happen in practice, it seems worth handling just to silence static analyzer warnings. PR: 243106 Submitted by: Hans Christian Woithe <chwoithe@yahoo.com> MFC after: 1 week Changes: head/lib/libjail/jail.c A commit references this bug: Author: markj Date: Tue Jan 14 02:41:53 UTC 2020 New revision: 356718 URL: https://svnweb.freebsd.org/changeset/base/356718 Log: MFC r356476: libjail: Handle an error from reallocarray() when trimming the buffer. PR: 243106 Changes: _U stable/12/ stable/12/lib/libjail/jail.c Thanks for the report. |
Created attachment 210458 [details] proposed patch reallocarray() is used in jailparam_all() to shrink the jail parameter list. It appears that the final call to shrink the list is unsafe if the reallocation fails. There is a possibility, for example, that NULL is assigned to *jpp and njp keeps its previous (likely non-zero) value. jls, which uses jailparam_all(), will attempt to use this invalid list. I have attached a proposed fix.