mirb - memory leak in mrb_default_allocf - state.c:60

[ilsani]

Hello,
ASAN detects a memory leak in mirb. Testcase:

0if()&.s=()&.g=0

ASAN:

==4271==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f673ac52090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
    #1 0x4a4155 in mrb_default_allocf /tmp/mruby/src/state.c:60
    #2 0x4cbe86 in mrb_realloc_simple /tmp/mruby/src/gc.c:203
    #3 0x4cc541 in mrb_realloc /tmp/mruby/src/gc.c:217
    #4 0x40524c in parse_args /tmp/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:279
    #5 0x402f59 in main /tmp/mruby/mrbgems/mruby-bin-mirb/tools/mirb/mirb.c:390
    #6 0x7f6739e742b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).

I think that occurs mainly because state:60 does not check the realloc's return value and/or because the execution terminate without properly freeing allocated memory by realloc.

void*
mrb_default_allocf(mrb_state *mrb, void *p, size_t size, void *ud)
{
  if (size == 0) {
    free(p);
    return NULL;
  }
  else {
    // If realloc() fails the original block is left untouched; it is not freed or moved.
    return realloc(p, size);
  }
}

Compiled with:

LDFLAGS="-lasan" CC=clang CFLAGS="-fPIC -static -g -ggdb -O0 -fsanitize=address" ./minirake --rakefile=Rakefile default

Test platform:

Linux 4.3.0-1-amd64 #1 SMP Debian 4.3.3-7 (2016-01-19) x86_64 GNU/Linux

GIT SHA:

82bc036a5947a9b672568c664fd0a37071243c91

[Asmod4n]

@matz
Hm, doesn't this fix mean that something like

ary = []
ary << "hallo" # this wants to increase the size of the array, if it fails the array gets freed(?)

can now cause a use-after-free?

[matz]

@Asmod4n It doesn't happen on my box.