diff options
author | Ilya Pankratov <90714492+i-pankrat@users.noreply.github.com> | 2024-06-05 20:16:01 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-05 17:16:01 +0000 |
commit | 03ea436e1cb35fdcba8fb6588de209d0a10174e9 (patch) | |
tree | 170711d3f7db2c7a6ca92213dc56aa33f26465fb /src | |
parent | build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 (diff) | |
download | firejail-03ea436e1cb35fdcba8fb6588de209d0a10174e9.tar.gz firejail-03ea436e1cb35fdcba8fb6588de209d0a10174e9.tar.zst firejail-03ea436e1cb35fdcba8fb6588de209d0a10174e9.zip |
bugfix: fix various resource leaks (#6367)
Fix memory and descriptor leaks.
Signed-off-by: Ilya Pankratov <i.pankratov.main@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/fids/main.c | 2 | ||||
-rw-r--r-- | src/firecfg/desktop_files.c | 3 | ||||
-rw-r--r-- | src/firejail/bandwidth.c | 3 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 12 | ||||
-rw-r--r-- | src/firejail/ids.c | 2 | ||||
-rw-r--r-- | src/firejail/run_files.c | 2 | ||||
-rw-r--r-- | src/firejail/util.c | 1 | ||||
-rw-r--r-- | src/firemon/netstats.c | 2 | ||||
-rw-r--r-- | src/jailcheck/access.c | 3 | ||||
-rw-r--r-- | src/jailcheck/noexec.c | 2 | ||||
-rw-r--r-- | src/jailcheck/virtual.c | 1 |
11 files changed, 29 insertions, 4 deletions
diff --git a/src/fids/main.c b/src/fids/main.c index 92b6468f3..415694f1e 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
@@ -106,9 +106,9 @@ static void file_checksum(const char *fname) { | |||
106 | } | 106 | } |
107 | else { | 107 | else { |
108 | content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); | 108 | content = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); |
109 | close(fd); | ||
110 | mmapped = 1; | 109 | mmapped = 1; |
111 | } | 110 | } |
111 | close(fd); | ||
112 | 112 | ||
113 | unsigned char checksum[KEY_SIZE / 8]; | 113 | unsigned char checksum[KEY_SIZE / 8]; |
114 | blake2b(checksum, sizeof(checksum), content, size); | 114 | blake2b(checksum, sizeof(checksum), content, size); |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 1895e437b..8c21757ab 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -300,6 +300,7 @@ void fix_desktop_files(const char *homedir) { | |||
300 | 300 | ||
301 | if (stat(outname, &sb) == 0) { | 301 | if (stat(outname, &sb) == 0) { |
302 | printf(" %s skipped: file exists\n", filename); | 302 | printf(" %s skipped: file exists\n", filename); |
303 | free(outname); | ||
303 | if (change_exec) | 304 | if (change_exec) |
304 | free(change_exec); | 305 | free(change_exec); |
305 | continue; | 306 | continue; |
@@ -308,6 +309,7 @@ void fix_desktop_files(const char *homedir) { | |||
308 | FILE *fpin = fopen(filename, "r"); | 309 | FILE *fpin = fopen(filename, "r"); |
309 | if (!fpin) { | 310 | if (!fpin) { |
310 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); | 311 | fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename); |
312 | free(outname); | ||
311 | if (change_exec) | 313 | if (change_exec) |
312 | free(change_exec); | 314 | free(change_exec); |
313 | continue; | 315 | continue; |
@@ -317,6 +319,7 @@ void fix_desktop_files(const char *homedir) { | |||
317 | if (!fpout) { | 319 | if (!fpout) { |
318 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); | 320 | fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname); |
319 | fclose(fpin); | 321 | fclose(fpin); |
322 | free(outname); | ||
320 | if (change_exec) | 323 | if (change_exec) |
321 | free(change_exec); | 324 | free(change_exec); |
322 | continue; | 325 | continue; |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index db130afd3..cbfcc90ed 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -198,6 +198,8 @@ static void read_bandwidth_file(pid_t pid) { | |||
198 | 198 | ||
199 | fclose(fp); | 199 | fclose(fp); |
200 | } | 200 | } |
201 | |||
202 | free(fname); | ||
201 | } | 203 | } |
202 | 204 | ||
203 | static void write_bandwidth_file(pid_t pid) { | 205 | static void write_bandwidth_file(pid_t pid) { |
@@ -217,6 +219,7 @@ static void write_bandwidth_file(pid_t pid) { | |||
217 | ptr = ptr->next; | 219 | ptr = ptr->next; |
218 | } | 220 | } |
219 | fclose(fp); | 221 | fclose(fp); |
222 | free(fname); | ||
220 | } | 223 | } |
221 | else | 224 | else |
222 | goto errout; | 225 | goto errout; |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 7c3f3835b..9d9832c15 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -67,8 +67,10 @@ static void skel(const char *homedir) { | |||
67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) | 67 | if (asprintf(&fname, "%s/.zshrc", homedir) == -1) |
68 | errExit("asprintf"); | 68 | errExit("asprintf"); |
69 | // don't copy it if we already have the file | 69 | // don't copy it if we already have the file |
70 | if (access(fname, F_OK) == 0) | 70 | if (access(fname, F_OK) == 0) { |
71 | free(fname); | ||
71 | return; | 72 | return; |
73 | } | ||
72 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 74 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
73 | fprintf(stderr, "Error: invalid %s file\n", fname); | 75 | fprintf(stderr, "Error: invalid %s file\n", fname); |
74 | exit(1); | 76 | exit(1); |
@@ -91,8 +93,10 @@ static void skel(const char *homedir) { | |||
91 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) | 93 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) |
92 | errExit("asprintf"); | 94 | errExit("asprintf"); |
93 | // don't copy it if we already have the file | 95 | // don't copy it if we already have the file |
94 | if (access(fname, F_OK) == 0) | 96 | if (access(fname, F_OK) == 0) { |
97 | free(fname); | ||
95 | return; | 98 | return; |
99 | } | ||
96 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 100 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
97 | fprintf(stderr, "Error: invalid %s file\n", fname); | 101 | fprintf(stderr, "Error: invalid %s file\n", fname); |
98 | exit(1); | 102 | exit(1); |
@@ -115,8 +119,10 @@ static void skel(const char *homedir) { | |||
115 | if (asprintf(&fname, "%s/.bashrc", homedir) == -1) | 119 | if (asprintf(&fname, "%s/.bashrc", homedir) == -1) |
116 | errExit("asprintf"); | 120 | errExit("asprintf"); |
117 | // don't copy it if we already have the file | 121 | // don't copy it if we already have the file |
118 | if (access(fname, F_OK) == 0) | 122 | if (access(fname, F_OK) == 0) { |
123 | free(fname); | ||
119 | return; | 124 | return; |
125 | } | ||
120 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat | 126 | if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat |
121 | fprintf(stderr, "Error: invalid %s file\n", fname); | 127 | fprintf(stderr, "Error: invalid %s file\n", fname); |
122 | exit(1); | 128 | exit(1); |
diff --git a/src/firejail/ids.c b/src/firejail/ids.c index 40bbe6d02..0759a205d 100644 --- a/src/firejail/ids.c +++ b/src/firejail/ids.c | |||
@@ -42,6 +42,7 @@ static void ids_init(void) { | |||
42 | if (dup(fd) != STDOUT_FILENO) | 42 | if (dup(fd) != STDOUT_FILENO) |
43 | errExit("dup"); | 43 | errExit("dup"); |
44 | close(fd); | 44 | close(fd); |
45 | free(fname); | ||
45 | 46 | ||
46 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); | 47 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIDS, "--init", cfg.homedir); |
47 | } | 48 | } |
@@ -63,6 +64,7 @@ static void ids_check(void) { | |||
63 | if (dup(fd) != STDIN_FILENO) | 64 | if (dup(fd) != STDIN_FILENO) |
64 | errExit("dup"); | 65 | errExit("dup"); |
65 | close(fd); | 66 | close(fd); |
67 | free(fname); | ||
66 | 68 | ||
67 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); | 69 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP| SBOX_ALLOW_STDIN, 3, PATH_FIDS, "--check", cfg.homedir); |
68 | } | 70 | } |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index cb078b580..4bd0ba459 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -122,6 +122,7 @@ void set_name_run_file(pid_t pid) { | |||
122 | // mode and ownership | 122 | // mode and ownership |
123 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 123 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
124 | fclose(fp); | 124 | fclose(fp); |
125 | free(fname); | ||
125 | } | 126 | } |
126 | 127 | ||
127 | 128 | ||
@@ -141,6 +142,7 @@ void set_x11_run_file(pid_t pid, int display) { | |||
141 | // mode and ownership | 142 | // mode and ownership |
142 | SET_PERMS_STREAM(fp, 0, 0, 0644); | 143 | SET_PERMS_STREAM(fp, 0, 0, 0644); |
143 | fclose(fp); | 144 | fclose(fp); |
145 | free(fname); | ||
144 | } | 146 | } |
145 | 147 | ||
146 | void set_profile_run_file(pid_t pid, const char *fname) { | 148 | void set_profile_run_file(pid_t pid, const char *fname) { |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 323133f8d..5d7c244b1 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1392,6 +1392,7 @@ void enter_network_namespace(pid_t pid) { | |||
1392 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); | 1392 | fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n"); |
1393 | exit(1); | 1393 | exit(1); |
1394 | } | 1394 | } |
1395 | free(name); | ||
1395 | 1396 | ||
1396 | // join the namespace | 1397 | // join the namespace |
1397 | EUID_ROOT(); | 1398 | EUID_ROOT(); |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 39dc38ec9..e70174b1e 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -152,10 +152,12 @@ static void print_proc(int index, int itv, int col) { | |||
152 | struct stat s; | 152 | struct stat s; |
153 | if (stat(name, &s) == -1) { | 153 | if (stat(name, &s) == -1) { |
154 | // the sandbox doesn't have a --net= option, don't print | 154 | // the sandbox doesn't have a --net= option, don't print |
155 | free(name); | ||
155 | if (cmd) | 156 | if (cmd) |
156 | free(cmd); | 157 | free(cmd); |
157 | return; | 158 | return; |
158 | } | 159 | } |
160 | free(name); | ||
159 | 161 | ||
160 | // pid | 162 | // pid |
161 | char pidstr[11]; | 163 | char pidstr[11]; |
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c index 50c51839b..5fbcb5a15 100644 --- a/src/jailcheck/access.c +++ b/src/jailcheck/access.c | |||
@@ -80,10 +80,13 @@ void access_setup(const char *directory) { | |||
80 | FILE *fp = fopen(test_file, "w"); | 80 | FILE *fp = fopen(test_file, "w"); |
81 | if (!fp) { | 81 | if (!fp) { |
82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | 82 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); |
83 | free(test_file); | ||
84 | free(path); | ||
83 | return; | 85 | return; |
84 | } | 86 | } |
85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | 87 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); |
86 | fclose(fp); | 88 | fclose(fp); |
89 | free(path); | ||
87 | int rv = chown(test_file, user_uid, user_gid); | 90 | int rv = chown(test_file, user_uid, user_gid); |
88 | if (rv) | 91 | if (rv) |
89 | errExit("chown"); | 92 | errExit("chown"); |
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index 37234c648..e5657135d 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -55,6 +55,7 @@ void noexec_setup(void) { | |||
55 | execfile_len = s.st_size; | 55 | execfile_len = s.st_size; |
56 | close(fd); | 56 | close(fd); |
57 | } | 57 | } |
58 | free(self); | ||
58 | } | 59 | } |
59 | } | 60 | } |
60 | 61 | ||
@@ -110,4 +111,5 @@ void noexec_test(const char *path) { | |||
110 | wait(&status); | 111 | wait(&status); |
111 | int rv = unlink(fname); | 112 | int rv = unlink(fname); |
112 | (void) rv; | 113 | (void) rv; |
114 | free(fname); | ||
113 | } | 115 | } |
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c index d4bfd1923..348efc784 100644 --- a/src/jailcheck/virtual.c +++ b/src/jailcheck/virtual.c | |||
@@ -49,6 +49,7 @@ void virtual_setup(const char *directory) { | |||
49 | FILE *fp = fopen(test_file, "w"); | 49 | FILE *fp = fopen(test_file, "w"); |
50 | if (!fp) { | 50 | if (!fp) { |
51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); | 51 | printf("Warning: I cannot create test file in directory %s, skipping...\n", directory); |
52 | free(test_file); | ||
52 | return; | 53 | return; |
53 | } | 54 | } |
54 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | 55 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); |