From a0ebdb22e5d1ccc1eb7ebed44c528194b73bfdbf Mon Sep 17 00:00:00 2001
From: Pingfan Liu <piliu@redhat.com>
Date: Tue, 29 Jun 2021 09:44:24 +0800
Subject: [PATCH] fix covscan complain

Resolves: bz1938828
Upstream: numactl
Conflict: None

Signed-off-by: Pingfan Liu <piliu@redhat.com>
---
 0002-shm.c-fix-memleak-in-dump_shm.patch      | 44 ++++++++++++++
 0003-shm.c-fix-memleak-in-verify_shm.patch    | 60 +++++++++++++++++++
 ...-don-t-leak-fd-if-fail-in-sysfs_read.patch | 29 +++++++++
 ...-prevent-mem-leak-in-sysfs_node_read.patch | 60 +++++++++++++++++++
 0006-numactl.c-fix-use-after-free.patch       | 30 ++++++++++
 numactl.spec                                  |  5 ++
 6 files changed, 228 insertions(+)
 create mode 100644 0002-shm.c-fix-memleak-in-dump_shm.patch
 create mode 100644 0003-shm.c-fix-memleak-in-verify_shm.patch
 create mode 100644 0004-sysfs.c-don-t-leak-fd-if-fail-in-sysfs_read.patch
 create mode 100644 0005-sysfs.c-prevent-mem-leak-in-sysfs_node_read.patch
 create mode 100644 0006-numactl.c-fix-use-after-free.patch

diff --git a/0002-shm.c-fix-memleak-in-dump_shm.patch b/0002-shm.c-fix-memleak-in-dump_shm.patch
new file mode 100644
index 0000000..76540d2
--- /dev/null
+++ b/0002-shm.c-fix-memleak-in-dump_shm.patch
@@ -0,0 +1,44 @@
+From 7b5f3e98680f0720f9e6d06b6acdcbf92af4aedd Mon Sep 17 00:00:00 2001
+From: Pingfan Liu <piliu@redhat.com>
+Date: Thu, 10 Jun 2021 10:54:08 +0800
+Subject: [PATCH 2/6] shm.c: fix memleak in dump_shm()
+
+Signed-off-by: Pingfan Liu <piliu@redhat.com>
+---
+ shm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/shm.c b/shm.c
+index 79043c9..c0b6ee3 100644
+--- a/shm.c
++++ b/shm.c
+@@ -182,7 +182,7 @@ dumppol(unsigned long long start, unsigned long long end, int pol, struct bitmas
+ /* Dump policies in a shared memory segment. */
+ void dump_shm(void)
+ {
+-	struct bitmask *nodes, *prevnodes;
++	struct bitmask *nodes, *prevnodes, *tag;
+ 	int prevpol = -1, pol;
+ 	unsigned long long c, start;
+ 
+@@ -193,7 +193,7 @@ void dump_shm(void)
+ 	}
+ 
+ 	nodes = numa_allocate_nodemask();
+-	prevnodes = numa_allocate_nodemask();
++	tag = prevnodes = numa_allocate_nodemask();
+ 
+ 	for (c = 0; c < shmlen; c += shm_pagesize) {
+ 		if (get_mempolicy(&pol, nodes->maskp, nodes->size, c+shmptr,
+@@ -208,6 +208,8 @@ void dump_shm(void)
+ 		start = c;
+ 	}
+ 	dumppol(start, c, prevpol, prevnodes);
++	numa_free_nodemask(nodes);
++	numa_free_nodemask(tag);
+ }
+ 
+ static void dumpnode(unsigned long long start, unsigned long long end, int node)
+-- 
+2.29.2
+
diff --git a/0003-shm.c-fix-memleak-in-verify_shm.patch b/0003-shm.c-fix-memleak-in-verify_shm.patch
new file mode 100644
index 0000000..53f6871
--- /dev/null
+++ b/0003-shm.c-fix-memleak-in-verify_shm.patch
@@ -0,0 +1,60 @@
+From 8ae75219cc7a0dc69e77e22ba2547104078769d8 Mon Sep 17 00:00:00 2001
+From: Pingfan Liu <piliu@redhat.com>
+Date: Thu, 10 Jun 2021 11:06:07 +0800
+Subject: [PATCH 3/6] shm.c: fix memleak in verify_shm()
+
+Signed-off-by: Pingfan Liu <piliu@redhat.com>
+---
+ shm.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/shm.c b/shm.c
+index c0b6ee3..e5192e5 100644
+--- a/shm.c
++++ b/shm.c
+@@ -273,8 +273,6 @@ void verify_shm(int policy, struct bitmask *nodes)
+ 	int pol2;
+ 	struct bitmask *nodes2;
+ 
+-	nodes2 = numa_allocate_nodemask();
+-
+ 	if (policy == MPOL_INTERLEAVE) {
+ 		if (get_mempolicy(&ilnode, NULL, 0, shmptr,
+ 					MPOL_F_ADDR|MPOL_F_NODE)
+@@ -282,6 +280,8 @@ void verify_shm(int policy, struct bitmask *nodes)
+ 			err("get_mempolicy");
+ 	}
+ 
++	nodes2 = numa_allocate_nodemask();
++
+ 	for (p = shmptr; p - (char *)shmptr < shmlen; p += shm_pagesize) {
+ 		if (get_mempolicy(&pol2, nodes2->maskp, nodes2->size, p,
+ 							MPOL_F_ADDR) < 0)
+@@ -289,7 +289,7 @@ void verify_shm(int policy, struct bitmask *nodes)
+ 		if (pol2 != policy) {
+ 			vwarn(p, "wrong policy %s, expected %s\n",
+ 			      policy_name(pol2), policy_name(policy));
+-			return;
++			goto out;
+ 		}
+ 		if (memcmp(nodes2, nodes, numa_bitmask_nbytes(nodes))) {
+ 			vwarn(p, "mismatched node mask\n");
+@@ -307,7 +307,7 @@ void verify_shm(int policy, struct bitmask *nodes)
+ 			if (node != ilnode) {
+ 				vwarn(p, "expected interleave node %d, got %d\n",
+ 				     ilnode,node);
+-				return;
++				goto out;
+ 			}
+ 			ilnode = interleave_next(ilnode, nodes2);
+ 			break;
+@@ -325,4 +325,6 @@ void verify_shm(int policy, struct bitmask *nodes)
+ 		}
+ 	}
+ 
++out:
++	numa_free_nodemask(nodes2);
+ }
+-- 
+2.29.2
+
diff --git a/0004-sysfs.c-don-t-leak-fd-if-fail-in-sysfs_read.patch b/0004-sysfs.c-don-t-leak-fd-if-fail-in-sysfs_read.patch
new file mode 100644
index 0000000..08b8840
--- /dev/null
+++ b/0004-sysfs.c-don-t-leak-fd-if-fail-in-sysfs_read.patch
@@ -0,0 +1,29 @@
+From dfca78c8ee1d21d967b3a51d5488a8e8cd818ec4 Mon Sep 17 00:00:00 2001
+From: Pingfan Liu <piliu@redhat.com>
+Date: Thu, 10 Jun 2021 11:13:59 +0800
+Subject: [PATCH 4/6] sysfs.c: don't leak fd if fail in sysfs_read()
+
+Signed-off-by: Pingfan Liu <piliu@redhat.com>
+---
+ sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sysfs.c b/sysfs.c
+index f1cdcdc..9ddf50d 100644
+--- a/sysfs.c
++++ b/sysfs.c
+@@ -17,10 +17,10 @@ hidden char *sysfs_read(char *name)
+ 	int n;
+ 	int fd;
+ 
+-	fd = open(name, O_RDONLY);
+ 	buf = malloc(SYSFS_BLOCK);
+ 	if (!buf)
+ 		return NULL;
++	fd = open(name, O_RDONLY);
+ 	n = read(fd, buf, SYSFS_BLOCK - 1);
+ 	close(fd);
+ 	if (n <= 0) {
+-- 
+2.29.2
+
diff --git a/0005-sysfs.c-prevent-mem-leak-in-sysfs_node_read.patch b/0005-sysfs.c-prevent-mem-leak-in-sysfs_node_read.patch
new file mode 100644
index 0000000..3d04f42
--- /dev/null
+++ b/0005-sysfs.c-prevent-mem-leak-in-sysfs_node_read.patch
@@ -0,0 +1,60 @@
+From cc1d7d17c6d2df0f603932becf238fdf264a9e30 Mon Sep 17 00:00:00 2001
+From: Pingfan Liu <piliu@redhat.com>
+Date: Thu, 10 Jun 2021 11:17:40 +0800
+Subject: [PATCH 5/6] sysfs.c: prevent mem leak in sysfs_node_read()
+
+Signed-off-by: Pingfan Liu <piliu@redhat.com>
+---
+ sysfs.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/sysfs.c b/sysfs.c
+index 9ddf50d..a35c4b5 100644
+--- a/sysfs.c
++++ b/sysfs.c
+@@ -33,7 +33,7 @@ hidden char *sysfs_read(char *name)
+ 
+ hidden int sysfs_node_read(struct bitmask *mask, char *fmt, ...)
+ {
+-	int n;
++	int n, ret = 0;
+ 	va_list ap;
+ 	char *p, *fn, *m, *end;
+ 	int num;
+@@ -51,12 +51,18 @@ hidden int sysfs_node_read(struct bitmask *mask, char *fmt, ...)
+ 	m = p;
+ 	do {
+ 		num = strtol(m, &end, 0);
+-		if (m == end)
+-			return -1;
+-		if (num < 0)
+-			return -2;
+-		if (num >= numa_num_task_nodes())
+-			return -1;
++		if (m == end) {
++			ret = -1;
++			goto out;
++		}
++		if (num < 0) {
++			ret = -2;
++			goto out;
++		}
++		if (num >= numa_num_task_nodes()) {
++			ret = -1;
++			goto out;
++		}
+ 		numa_bitmask_setbit(mask, num);
+ 
+ 		/* Continuation not supported by kernel yet. */
+@@ -64,6 +70,7 @@ hidden int sysfs_node_read(struct bitmask *mask, char *fmt, ...)
+ 		while (isspace(*m) || *m == ',')
+ 			m++;
+ 	} while (isdigit(*m));
++out:
+ 	free(p);
+-	return 0;
++	return ret;
+ }
+-- 
+2.29.2
+
diff --git a/0006-numactl.c-fix-use-after-free.patch b/0006-numactl.c-fix-use-after-free.patch
new file mode 100644
index 0000000..8832709
--- /dev/null
+++ b/0006-numactl.c-fix-use-after-free.patch
@@ -0,0 +1,30 @@
+From 498385e3aaf265d6e9786e0a391196cd82ab3260 Mon Sep 17 00:00:00 2001
+From: Pingfan Liu <piliu@redhat.com>
+Date: Fri, 18 Jun 2021 18:14:20 +0800
+Subject: [PATCH 6/6] numactl.c: fix use after free
+
+The following command can trigger the bug
+  numactl --length 65536 --shm xxx -p0 -V > /dev/null
+
+So reset mask to block any new access inside this loop.
+
+Signed-off-by: Pingfan Liu <piliu@redhat.com>
+---
+ numactl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/numactl.c b/numactl.c
+index 5a9d2df..ae41d6c 100644
+--- a/numactl.c
++++ b/numactl.c
+@@ -544,6 +544,7 @@ int main(int ac, char **av)
+ 			if (nnodes != 1)
+ 				usage();
+ 			numa_bitmask_free(mask);
++			mask = NULL;
+ 			errno = 0;
+ 			did_node_cpu_parse = 1;
+ 			numa_set_bind_policy(0);
+-- 
+2.29.2
+
diff --git a/numactl.spec b/numactl.spec
index 29a13b1..42f76a2 100644
--- a/numactl.spec
+++ b/numactl.spec
@@ -38,6 +38,11 @@ ExcludeArch: s390 %{arm}
 # Patches 601 onward are generic patches
 #
 Patch601: 0001-libnuma-make-numa_police_memory-free-of-race.patch
+Patch602: 0002-shm.c-fix-memleak-in-dump_shm.patch
+Patch603: 0003-shm.c-fix-memleak-in-verify_shm.patch
+Patch604: 0004-sysfs.c-don-t-leak-fd-if-fail-in-sysfs_read.patch
+Patch605: 0005-sysfs.c-prevent-mem-leak-in-sysfs_node_read.patch
+Patch606: 0006-numactl.c-fix-use-after-free.patch
 
 
 %description