make_temp() creates a named temporary file, which even after deletion will keep a negative dentry cache entry that's never freed.
As we don't use the file name for anything, we can just get our temporary file via open(O_TMPFILE), which won't involve the dentry cache at all and thereby avoiding leaking memory when fuzzing uncompress_buf_to_buf. Signed-off-by: Ahmad Fatoum <[email protected]> --- lib/uncompress.c | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/lib/uncompress.c b/lib/uncompress.c index 71ac882b87fe..bfe042fcf83e 100644 --- a/lib/uncompress.c +++ b/lib/uncompress.c @@ -185,30 +185,26 @@ int uncompress_buf_to_fd(const void *input, size_t input_len, ssize_t uncompress_buf_to_buf(const void *input, size_t input_len, void **buf, void(*error_fn)(char *x)) { - char *dstpath; size_t size; - int outfd, ret; + int fd, ret; + void *p; - dstpath = make_temp("data-uncompressed"); - if (!dstpath) - return -ENOMEM; + fd = open("/tmp", O_TMPFILE | O_RDWR); + if (fd < 0) + return -ENODEV; - outfd = open(dstpath, O_CREAT | O_WRONLY); - if (outfd < 0) { - ret = -ENODEV; - goto free_temp; - } - - ret = uncompress_buf_to_fd(input, input_len, outfd, error_fn); + ret = uncompress_buf_to_fd(input, input_len, fd, error_fn); if (ret) - goto close_outfd; + goto close_fd; - *buf = read_file(dstpath, &size); -close_outfd: - close(outfd); - unlink(dstpath); -free_temp: - free(dstpath); + p = read_fd(fd, &size); + if (p) + *buf = p; + else + ret = -errno; + +close_fd: + close(fd); return ret ?: size; } -- 2.39.2
