14376 – Tar component in busybox version 1.34.1 has a memory leak bug when trying to unpack a tar file.

Bug 14376 - Tar component in busybox version 1.34.1 has a memory leak bug when trying to unpack a tar file.

Summary: Tar component in busybox version 1.34.1 has a memory leak bug when trying to ...

Status:	NEW

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P5 major
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-23 17:34 UTC by spwpun
Modified:	2021-11-25 11:02 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:

Attachments
try to unpack this file with cmds above. (10.00 KB, application/x-tar) 2021-11-23 17:34 UTC, spwpun	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description spwpun 2021-11-23 17:34:49 UTC

Created attachment 9156 [details]
try to unpack this file with cmds above.

Hi~

In libbb/xfuncs_printf.c:50, malloc twice for archive_handle and archive_hadle->fileheader with 184 and 72 bytes heap space.

Back to tar_main function, the two pointers(tar_handle，tar_handle->file_header) hasn't been freed when return.

Complie cmds:
```
make O=/path/to/build defconfig
make O=/path/to/build menuconfig  # and choice ASAN options
cd /path/to/build && make -j4
```
Reproduce cmd:
```
./busybox_unstripped tar -xf test.tar
```

Backtarce in gdb:
```
[#0] 0x555555e7022e → tar_main(argc=0x3, argv=0x7fffffffe430)
[#1] 0x555555b06aac → run_applet_no_and_exit(applet_no=0x148, name=0x7fffffffe709 "tar", argv=0x7fffffffe430)
[#2] 0x555555b06b6b → run_applet_and_exit(name=0x7fffffffe709 "tar", argv=0x7fffffffe430)
[#3] 0x555555b067cf → busybox_main(argv=0x7fffffffe430)
[#4] 0x555555b06b29 → run_applet_and_exit(name=0x7fffffffe6f6 "busybox_unstripped", argv=0x7fffffffe428)
[#5] 0x555555b06cbf → main(argc=0x4, argv=0x7fffffffe428)
```

LeakSanitizer log:
```
=================================================================
==120986==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 184 byte(s) in 1 object(s) allocated from:
    #0 0x7efda806bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x555577ed8987 in xmalloc /home/zy/packages/dhcp-targets/busybox-1.34.1/libbb/xfuncs_printf.c:50

Indirect leak of 72 byte(s) in 1 object(s) allocated from:
    #0 0x7efda806bb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x555577ed8987 in xmalloc /home/zy/packages/dhcp-targets/busybox-1.34.1/libbb/xfuncs_printf.c:50

SUMMARY: AddressSanitizer: 256 byte(s) leaked in 2 allocation(s).
```