Hi Frank,
On Tue, Feb 18, 2025 at 10:30:44PM -0500, Frank Ch. Eigler wrote:
> Planning to commit this shortly:
>
> commit a71bac67f4705b84368b71f5ece54deedaa1abf1 (HEAD -> master1)
> Author: Frank Ch. Eigler <f...@redhat.com>
> Date: Tue Feb 18 22:09:12 2025 -0500
>
> debuginfod-client: correct invalid free() in failed ima path
>
> debuginfod-find with a failed signature configuration was found on f41
> glibc (2.40) to sometimes leave invalid addresses in a sscanf("%ms", &ptr)
> pointer in case of error, leading to an invalid free() during cleanup.
This does sounds like a bug in glibc sscanf. I cannot find a
description of what exactly happens with 'm' modifier allocated
buffers on error. So I can imagine a double free if sscanf frees the
buffer on error. But returning a bogus pointer? That seems a bug. If
we aren't guaranteed a valid pointer (or NULL) then this could easily
lead to memory leaks.
I would at least report it to glibc to see if this is intentional.
Cheers,
Mark
