ls: plug a per-argument leak

Using ls -l on an SELinux-enabled system would leak one SELinux context string per non-empty-directory command-line argument. * src/ls.c (free_ent): New function, factored out of... (clear_files): ...here. Use it. (extract_dirs_from_files): Call free_ent (f), rather than simply free (f->name). The latter failed to free the possibly-malloc'd linkname and scontext members, and thus could leak one of those strings per command-line argument. * THANKS.in: Update. * NEWS (Bug fixes): Mention it. Reported by Juraj Marko in http://bugzilla.redhat.com/751974.
2026-04-17 17:18:45 +02:00 · 2011-11-08 19:03:39 +01:00
parent 91a5badc7b
commit f8245e96cd
3 changed files with 16 additions and 6 deletions
--- a/4
+++ b/4
@@ -11,6 +11,10 @@ GNU coreutils NEWS                                    -*- outline -*-
  --block-size=1KiB, a new long option --kibibyte stands for -k.
  [bug introduced in coreutils-4.5.4]

+  ls -l would leak a little memory (security context string) for each
+  nonempty directory listed on the command line, when using SELinux.
+  [bug probably introduced in coreutils-6.10 with SELinux support]
+
  rm -rf DIR would fail with "Device or resource busy" on Cygwin with NWFS
  and NcFsd file systems.  This did not affect Unix/Linux-based kernels.
  [bug introduced in coreutils-8.0, when rm began using fts]
--- a/THANKS.in
+++ b/THANKS.in
@@ -311,6 +311,7 @@ Juan M. Guerrero                    st001906@hrz1.hrz.tu-darmstadt.de
 Julian Bradfield                    jcb@inf.ed.ac.uk
 Jungshik Shin                       jshin@pantheon.yale.edu
 Jürgen Fluk                         louis@dachau.marco.de
+Juraj Marko                         jmarko@redhat.com
 Jurriaan                            thunder7@xs4all.nl
 Justin Pryzby                       justinpryzby@users.sourceforge.net
 jvogel                              jvogel@linkny.com
--- a/src/ls.c
+++ b/src/ls.c
@@ -2715,8 +2715,16 @@ has_capability (char const *name ATTRIBUTE_UNUSED)

 /* Enter and remove entries in the table `cwd_file'.  */

-/* Empty the table of files.  */
+static void
+free_ent (struct fileinfo *f)
+{
+  free (f->name);
+  free (f->linkname);
+  if (f->scontext != UNKNOWN_SECURITY_CONTEXT)
+    freecon (f->scontext);
+}

+/* Empty the table of files.  */
 static void
 clear_files (void)
 {
@@ -2725,10 +2733,7 @@ clear_files (void)
  for (i = 0; i < cwd_n_used; i++)
    {
      struct fileinfo *f = sorted_file[i];
-      free (f->name);
-      free (f->linkname);
-      if (f->scontext != UNKNOWN_SECURITY_CONTEXT)
-        freecon (f->scontext);
+      free_ent (f);
    }

  cwd_n_used = 0;
@@ -3164,7 +3169,7 @@ extract_dirs_from_files (char const *dirname, bool command_line_arg)
              free (name);
            }
          if (f->filetype == arg_directory)
-            free (f->name);
+            free_ent (f);
        }
    }