[Bug stdio/24583] New: Memory leak in fopen with ccs argument

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] New: Memory leak in fopen with ccs argument

fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

            Bug ID: 24583
           Summary: Memory leak in fopen with ccs argument
           Product: glibc
           Version: 2.30
            Status: NEW
          Severity: minor
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security-

Reproducer:

#include <err.h>
#include <locale.h>
#include <stdio.h>

int
main (void)
{
  if (setlocale (LC_ALL, "fr_FR.iso885915@euro") == NULL)
    err (1, "setlocale");
  FILE *fp = fopen ("/etc/passwd", "r,ccs=UTF-8");
  if (fp == NULL)
    err (1, "fopen");
  if (fclose (fp) != 0)
    err (1, "fclose");
  return 0;
}

The problem seems to be that the libio code never calls __gconv_close_transform
for the gconv functions returned by __wcsmbs_named_conv.  Calling
__gconv_release_step in _IO_new_fclose is not sufficient.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
In the LeakSanitizer sources, this is identified as:

    // Leak in glibc's gconv caused by fopen(..., "r,ccs=UNICODE")
    "leak:__gconv_lookup_cache\n"

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7e740ab2e7be7d83b75513aa406e0b10875f7f9c

commit 7e740ab2e7be7d83b75513aa406e0b10875f7f9c
Author: Florian Weimer <[hidden email]>
Date:   Tue May 21 10:34:21 2019 +0200

    libio: Fix gconv-related memory leak [BZ #24583]

    struct gconv_fcts for the C locale is statically allocated,
    and __gconv_close_transform deallocates the steps object.
    Therefore this commit introduces __wcsmbs_close_conv to avoid
    freeing the statically allocated steps objects.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.30

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for 2.30.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=24677

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
I believe this fix has caused bug 24677.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=50ce3eae5ba304650459d4441d7d246a7cefc26f

commit 50ce3eae5ba304650459d4441d7d246a7cefc26f
Author: Florian Weimer <[hidden email]>
Date:   Thu Jul 18 17:27:24 2019 +0200

    gconv: Check reference count in __gconv_release_cache  [BZ #24677]

    This fixes a regression introduced in commit
    7e740ab2e7be7d83b75513aa406e0b10875f7f9c ("libio: Fix gconv-related
    memory leak [BZ #24583]").

    __gconv_release_cache is only ever called with heap-allocated
    arrays which contain at least one member.  The statically allocated
    ASCII steps are filtered out by __wcsmbs_close_conv.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0bfddfc9444ed6154da7e70bae6a1b4809b88c93

commit 0bfddfc9444ed6154da7e70bae6a1b4809b88c93
Author: Florian Weimer <[hidden email]>
Date:   Wed Jul 31 11:43:59 2019 +0200

    iconv: Revert steps array reference counting changes

    The changes introduce a memory leak for gconv steps arrays whose
    first element is an internal conversion, which has a fixed
    reference count which is not decremented.  As a result, after the
    change in commit 50ce3eae5ba304650459d4441d7d246a7cefc26f, the steps
    array is never freed, resulting in an unbounded memory leak.

    This reverts commit 50ce3eae5ba304650459d4441d7d246a7cefc26f
    ("gconv: Check reference count in __gconv_release_cache
    [BZ #24677]") and commit 7e740ab2e7be7d83b75513aa406e0b10875f7f9c
    ("libio: Fix gconv-related memory leak [BZ #24583]").  It
    reintroduces bug 24583.  (Bug 24677 was just a regression caused by
    the second commit.)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug stdio/24583] Memory leak in fopen with ccs argument

fweimer at redhat dot com
In reply to this post by fweimer at redhat dot com
https://sourceware.org/bugzilla/show_bug.cgi?id=24583

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
            Version|2.30                        |2.31
         Resolution|FIXED                       |---
   Target Milestone|2.30                        |---

--- Comment #7 from Florian Weimer <fweimer at redhat dot com> ---
Fixed had to be reverted.

--
You are receiving this mail because:
You are on the CC list for the bug.