2219417 – leak in libnss_nis-3.0/src/nis-initgroups.c:_nss_nis_initgroups_dyn()

Bug 2219417 - leak in libnss_nis-3.0/src/nis-initgroups.c:_nss_nis_initgroups_dyn()

Summary: leak in libnss_nis-3.0/src/nis-initgroups.c:_nss_nis_initgroups_dyn()

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	nss_nis
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ondřej Sloup
QA Contact:	RHEL CS Apps Subsystem QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-03 14:44 UTC by Paulo Andrade
Modified:	2023-07-03 15:18 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-161457	0	None	None	None	2023-07-03 14:45:43 UTC

Description Paulo Andrade 2023-07-03 14:44:34 UTC

Sample valgrind log:

==1324413== 630,390,784 (630,358,016 direct, 32,768 indirect) bytes in 19,237 blocks are definitely lost in loss record 2,743 of 2,743
==1324413==    at 0x4C3C096: realloc (vg_replace_malloc.c:1437)
==1324413==    by 0xD503064: _nss_nis_initgroups_dyn (nis-initgroups.c:279)
==1324413==    by 0x8012E1D: internal_getgrouplist (in /usr/lib64/libc-2.28.so)
==1324413==    by 0x80130A4: getgrouplist (in /usr/lib64/libc-2.28.so)
==1324413==    by 0x1187E8: subject_to_jsval(_PolkitBackendJsAuthority*, _PolkitSubject*, _PolkitIdentity*, int, int, JS::MutableHandle<JS::Value>, _GError**) (polkitbackendjsauthority.cpp:815)
==1324413==    by 0x119113: polkit_backend_js_authority_check_authorization_sync(_PolkitBackendInteractiveAuthority*, _PolkitSubject*, _PolkitSubject*, _PolkitIdentity*, int, int, char const*, _PolkitDetails*, PolkitImplicitAuthorization) (polkitbackendjsauthority.cpp:1213)
==1324413==    by 0x11CBBB: check_authorization_sync (polkitbackendinteractiveauthority.c:1164)
==1324413==    by 0x11D445: polkit_backend_interactive_authority_check_authorization (polkitbackendinteractiveauthority.c:981)
==1324413==    by 0x114690: server_handle_check_authorization (polkitbackendauthority.c:790)
==1324413==    by 0x114690: server_handle_method_call (polkitbackendauthority.c:1272)
==1324413==    by 0x512D76F: call_in_idle_cb (gdbusconnection.c:4852)
==1324413==    by 0x56ACD2A: g_idle_dispatch (gmain.c:5579)
==1324413==    by 0x56B095C: g_main_dispatch (gmain.c:3193)
==1324413==    by 0x56B095C: g_main_context_dispatch (gmain.c:3873)

If using the path glibc-2.28/nis/nss_nis/nis-initgroup.c:_nss_nis_initgroups_dyn()
there is no leak, but if nss_nis is installed, it will use
libnss_nis-3.0/src/nis-initgroups.c:_nss_nis_initgroups_dyn() that leaks.

  The leak is in the block:

"""
  tmpbuf = malloc (buflen);
  if (tmpbuf == NULL)
    return NSS_STATUS_TRYAGAIN;

  while (1)
    {
      while ((status =
              internal_getgrent_r (&grpbuf, tmpbuf, buflen, errnop,
                                   &intern)) == NSS_STATUS_TRYAGAIN
             && *errnop == ERANGE)
        {
          tmpbuf = realloc (tmpbuf, 2 * buflen);
          buflen = 2 * buflen;
        }
"""

  tmpbuf should bew released before returing. The pseudo patch is:


 done:
+  free (tmpbuf);
   while (intern.start != NULL)

could also initialize it to NULL for more clear code.

  For the moment we are asking the user if there is a reason to have nss_nis,
ypbind and yp-tools packages installed.

Note You need to log in before you can comment on or make changes to this bug.