aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Ilya Pankratov <90714492+i-pankrat@users.noreply.github.com>2024-06-05 20:16:01 +0300
committerLibravatar GitHub <noreply@github.com>2024-06-05 17:16:01 +0000
commit03ea436e1cb35fdcba8fb6588de209d0a10174e9 (patch)
tree170711d3f7db2c7a6ca92213dc56aa33f26465fb
parentbuild(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 (diff)
downloadfirejail-03ea436e1cb35fdcba8fb6588de209d0a10174e9.tar.gz
firejail-03ea436e1cb35fdcba8fb6588de209d0a10174e9.tar.zst
firejail-03ea436e1cb35fdcba8fb6588de209d0a10174e9.zip
bugfix: fix various resource leaks (#6367)
Fix memory and descriptor leaks. Signed-off-by: Ilya Pankratov <i.pankratov.main@gmail.com>
Diffstat
-rw-r--r--src/fids/main.c2
-rw-r--r--src/firecfg/desktop_files.c3
-rw-r--r--src/firejail/bandwidth.c3
-rw-r--r--src/firejail/fs_home.c12
-rw-r--r--src/firejail/ids.c2
-rw-r--r--src/firejail/run_files.c2
-rw-r--r--src/firejail/util.c1
-rw-r--r--src/firemon/netstats.c2
-rw-r--r--src/jailcheck/access.c3
-rw-r--r--src/jailcheck/noexec.c2
-rw-r--r--src/jailcheck/virtual.c1
11 files changed, 29 insertions, 4 deletions
diff --git a/src/fids/main.c b/src/fids/main.c
index 92b6468f3..415694f1e 100644
--- a/src/fids/main.c
+++ b/src/fids/main.c
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) {
106 } 106 }
107 else { 107 else {
108 content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); 108 content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
109 close(fd);
110 mmapped = 1; 109 mmapped = 1;
111 } 110 }
111 close(fd);
112 112
113 unsigned char checksum[KEY_SIZE / 8]; 113 unsigned char checksum[KEY_SIZE / 8];
114 blake2b(checksum, sizeof(checksum), content, size); 114 blake2b(checksum, sizeof(checksum), content, size);
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 1895e437b..8c21757ab 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) {
300 300
301 if (stat(outname, &sb) == 0) { 301 if (stat(outname, &sb) == 0) {
302 printf(" %s skipped: file exists\n", filename); 302 printf(" %s skipped: file exists\n", filename);
303 free(outname);
303 if (change_exec) 304 if (change_exec)
304 free(change_exec); 305 free(change_exec);
305 continue; 306 continue;
@@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) {
308 FILE *fpin = fopen(filename, "r"); 309 FILE *fpin = fopen(filename, "r");
309 if (!fpin) { 310 if (!fpin) {
310 fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); 311 fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
312 free(outname);
311 if (change_exec) 313 if (change_exec)
312 free(change_exec); 314 free(change_exec);
313 continue; 315 continue;
@@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) {
317 if (!fpout) { 319 if (!fpout) {
318 fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); 320 fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
319 fclose(fpin); 321 fclose(fpin);
322 free(outname);
320 if (change_exec) 323 if (change_exec)
321 free(change_exec); 324 free(change_exec);
322 continue; 325 continue;
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index db130afd3..cbfcc90ed 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) {
198 198
199 fclose(fp); 199 fclose(fp);
200 } 200 }
201
202 free(fname);
201} 203}
202 204
203static void write_bandwidth_file(pid_t pid) { 205static void write_bandwidth_file(pid_t pid) {
@@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) {
217 ptr = ptr->next; 219 ptr = ptr->next;
218 } 220 }
219 fclose(fp); 221 fclose(fp);
222 free(fname);
220 } 223 }
221 else 224 else
222 goto errout; 225 goto errout;
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 7c3f3835b..9d9832c15 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -67,8 +67,10 @@ static void skel(const char *homedir) {
67 if (asprintf(&fname, "%s/.zshrc", homedir) == -1) 67 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
68 errExit("asprintf"); 68 errExit("asprintf");
69 // don't copy it if we already have the file 69 // don't copy it if we already have the file
70 if (access(fname, F_OK) == 0) 70 if (access(fname, F_OK) == 0) {
71 free(fname);
71 return; 72 return;
73 }
72 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat 74 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
73 fprintf(stderr, "Error: invalid %s file\n", fname); 75 fprintf(stderr, "Error: invalid %s file\n", fname);
74 exit(1); 76 exit(1);
@@ -91,8 +93,10 @@ static void skel(const char *homedir) {
91 if (asprintf(&fname, "%s/.cshrc", homedir) == -1) 93 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
92 errExit("asprintf"); 94 errExit("asprintf");
93 // don't copy it if we already have the file 95 // don't copy it if we already have the file
94 if (access(fname, F_OK) == 0) 96 if (access(fname, F_OK) == 0) {
97 free(fname);
95 return; 98 return;
99 }
96 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat 100 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
97 fprintf(stderr, "Error: invalid %s file\n", fname); 101 fprintf(stderr, "Error: invalid %s file\n", fname);
98 exit(1); 102 exit(1);
@@ -115,8 +119,10 @@ static void skel(const char *homedir) {
115 if (asprintf(&fname, "%s/.bashrc", homedir) == -1) 119 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
116 errExit("asprintf"); 120 errExit("asprintf");
117 // don't copy it if we already have the file 121 // don't copy it if we already have the file
118 if (access(fname, F_OK) == 0) 122 if (access(fname, F_OK) == 0) {
123 free(fname);
119 return; 124 return;
125 }
120 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat 126 if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
121 fprintf(stderr, "Error: invalid %s file\n", fname); 127 fprintf(stderr, "Error: invalid %s file\n", fname);
122 exit(1); 128 exit(1);
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 40bbe6d02..0759a205d 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -42,6 +42,7 @@ static void ids_init(void) {
42 if (dup(fd) != STDOUT_FILENO) 42 if (dup(fd) != STDOUT_FILENO)
43 errExit("dup"); 43 errExit("dup");
44 close(fd); 44 close(fd);
45 free(fname);
45 46
46 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); 47 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir);
47} 48}
@@ -63,6 +64,7 @@ static void ids_check(void) {
63 if (dup(fd) != STDIN_FILENO) 64 if (dup(fd) != STDIN_FILENO)
64 errExit("dup"); 65 errExit("dup");
65 close(fd); 66 close(fd);
67 free(fname);
66 68
67 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); 69 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir);
68} 70}
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index cb078b580..4bd0ba459 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) {
122 // mode and ownership 122 // mode and ownership
123 SET_PERMS_STREAM(fp, 0, 0, 0644); 123 SET_PERMS_STREAM(fp, 0, 0, 0644);
124 fclose(fp); 124 fclose(fp);
125 free(fname);
125} 126}
126 127
127 128
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) {
141 // mode and ownership 142 // mode and ownership
142 SET_PERMS_STREAM(fp, 0, 0, 0644); 143 SET_PERMS_STREAM(fp, 0, 0, 0644);
143 fclose(fp); 144 fclose(fp);
145 free(fname);
144} 146}
145 147
146void set_profile_run_file(pid_t pid, const char *fname) { 148void set_profile_run_file(pid_t pid, const char *fname) {
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 323133f8d..5d7c244b1 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) {
1392 fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); 1392 fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
1393 exit(1); 1393 exit(1);
1394 } 1394 }
1395 free(name);
1395 1396
1396 // join the namespace 1397 // join the namespace
1397 EUID_ROOT(); 1398 EUID_ROOT();
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 39dc38ec9..e70174b1e 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) {
152 struct stat s; 152 struct stat s;
153 if (stat(name, &s) == -1) { 153 if (stat(name, &s) == -1) {
154 // the sandbox doesn't have a --net= option, don't print 154 // the sandbox doesn't have a --net= option, don't print
155 free(name);
155 if (cmd) 156 if (cmd)
156 free(cmd); 157 free(cmd);
157 return; 158 return;
158 } 159 }
160 free(name);
159 161
160 // pid 162 // pid
161 char pidstr[11]; 163 char pidstr[11];
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
index 50c51839b..5fbcb5a15 100644
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@@ -80,10 +80,13 @@ void access_setup(const char *directory) {
80 FILE *fp = fopen(test_file, "w"); 80 FILE *fp = fopen(test_file, "w");
81 if (!fp) { 81 if (!fp) {
82 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); 82 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
83 free(test_file);
84 free(path);
83 return; 85 return;
84 } 86 }
85 fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); 87 fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
86 fclose(fp); 88 fclose(fp);
89 free(path);
87 int rv = chown(test_file, user_uid, user_gid); 90 int rv = chown(test_file, user_uid, user_gid);
88 if (rv) 91 if (rv)
89 errExit("chown"); 92 errExit("chown");
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 37234c648..e5657135d 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -55,6 +55,7 @@ void noexec_setup(void) {
55 execfile_len = s.st_size; 55 execfile_len = s.st_size;
56 close(fd); 56 close(fd);
57 } 57 }
58 free(self);
58 } 59 }
59} 60}
60 61
@@ -110,4 +111,5 @@ void noexec_test(const char *path) {
110 wait(&status); 111 wait(&status);
111 int rv = unlink(fname); 112 int rv = unlink(fname);
112 (void) rv; 113 (void) rv;
114 free(fname);
113} 115}
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c
index d4bfd1923..348efc784 100644
--- a/src/jailcheck/virtual.c
+++ b/src/jailcheck/virtual.c
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) {
49 FILE *fp = fopen(test_file, "w"); 49 FILE *fp = fopen(test_file, "w");
50 if (!fp) { 50 if (!fp) {
51 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); 51 printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
52 free(test_file);
52 return; 53 return;
53 } 54 }
54 fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); 55 fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-06 23:13:02 +0000