Hi~ It seems that I found a bug on busybox version 1.34.1:
In libbb/xfuncs_printf.c:50, malloc twice for archive_handle and
archive_hadle->fileheader with 184 and 72 bytes heap space.
Back to tar_main function, the two
pointers(tar_handle,tar_handle->file_header) hasn't been freed when
return.
Complie cmds:
```
make O=/path/to/build defconfig
make O=/path/to/build menuconfig # and choice ASAN options
cd /path/to/build && make -j4
```
Reproduce cmd:
```
./busybox_unstripped tar -xf test.tar
```
Backtarce in gdb:
```
[#0] 0x555555e7022e → tar_main(argc=0x3, argv=0x7fffffffe430)
[#1] 0x555555b06aac → run_applet_no_and_exit(applet_no=0x148,
name=0x7fffffffe709 "tar", argv=0x7fffffffe430)
[#2] 0x555555b06b6b → run_applet_and_exit(name=0x7fffffffe709 "tar",
argv=0x7fffffffe430)
[#3] 0x555555b067cf → busybox_main(argv=0x7fffffffe430)
[#4] 0x555555b06b29 → run_applet_and_exit(name=0x7fffffffe6f6
"busybox_unstripped", argv=0x7fffffffe428)
[#5] 0x555555b06cbf → main(argc=0x4, argv=0x7fffffffe428)
```
LeakSanitizer log:
```
=================================================================
==120986==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 184 byte(s) in 1 object(s) allocated from:
#0 0x7efda806bb40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x555577ed8987 in xmalloc
/home/zy/packages/dhcp-targets/busybox-1.34.1/libbb/xfuncs_printf.c:50
Indirect leak of 72 byte(s) in 1 object(s) allocated from:
#0 0x7efda806bb40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x555577ed8987 in xmalloc
/home/zy/packages/dhcp-targets/busybox-1.34.1/libbb/xfuncs_printf.c:50
SUMMARY: AddressSanitizer: 256 byte(s) leaked in 2 allocation(s).
```
The attachment is the tar file to test, it's just a simple tar file.
test.tar
Description: Unix tar archive
_______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
