double free in some scenarios - Githubissues

falcosecurity / libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources

https://falcosecurity.github.io/libs/

Apache License 2.0

227 stars 162 forks source link

double free in some scenarios #1312

Closed jaguo closed 1 year ago

jaguo commented 1 year ago

Describe the bug https://github.com/falcosecurity/libs/blob/master/userspace/libscap/linux/scap_userlist.c#L297 if grpidx is 0, then realloc size is 0. such as getgrent failed.

https://linux.die.net/man/3/realloc If size was equal to 0, either NULL or a pointer suitable to be passed to free() is returned

https://github.com/falcosecurity/libs/blob/master/userspace/libscap/linux/scap_userlist.c#L302 then free(userlist->groups) will cause double free.

How to reproduce it

Expected behaviour

Screenshots

Environment

Falco version:
System info:
Cloud provider or hardware configuration:
OS:
Kernel:
Installation method: source

Additional context

FedeDP commented 1 year ago

Hi! Thanks for opening this issue! And great catch btw :) Would you mind opening a PR to fix this?