tools/cgxget: free temporary conversions on failure paths

kamalesh-babulal · kamalesh-babulal · commit 440f57ff5ab9 · 2026-03-13T22:02:45.000+05:30
AddressSanitizer reported an 8-byte leak when convert_cgroups() aborted: Direct leak of 8 byte(s) in 1 object(s) allocated from: #0 0x... in __interceptor_malloc #1 convert_cgroups (<libcgroup-source>/src/tools/cgxget.c:822) libcgroup#2 main (<libcgroup-source>/src/tools/cgxget.c:893) The helper allocates a scratch cgroup list, but on failures or ECGNOVERSIONCONVERT it returned without releasing the partially built array. Worse, when the scratch malloc failed we still treated the conversion as “success” and left the old list pointing nowhere. Return an error if the allocation fails, zero-initialise the scratch list so we can free partially populated slots safely, free every temporary cgroup before returning on error, and only after a successful conversion free the original list (including the pointer array) before swapping in the new one. With these guards in place the ASan leak report is gone. Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
diff --git a/src/tools/cgxget.c b/src/tools/cgxget.c
@@ -826,8 +826,11 @@ static int convert_cgroups(struct cgroup **cgrp_list[], int cgrp_list_len,
 	int i = 0, j, ret = 0;
 
 	cgrp_converted_list = malloc(cgrp_list_len * sizeof(struct cgroup *));
-	if (cgrp_converted_list == NULL)
+	if (cgrp_converted_list == NULL) {
+		ret = ECGOTHER;
 		goto out;
+	}
+	memset(cgrp_converted_list, 0, cgrp_list_len * sizeof(struct cgroup *));
 
 	for (i = 0; i < cgrp_list_len; i++) {
 		cgrp_converted_list[i] = cgroup_new_cgroup((*cgrp_list)[i]->name);
@@ -843,20 +846,21 @@ static int convert_cgroups(struct cgroup **cgrp_list[], int cgrp_list_len,
 	}
 
 out:
-	if (ret != 0 && ret != ECGNOVERSIONCONVERT) {
-		/* The conversion failed */
-		for (j = 0; j < i; j++)
-			cgroup_free(&(cgrp_converted_list[j]));
-		free(cgrp_converted_list);
-	} else {
-		/*
-		 * The conversion succeeded or was unmappable.
-		 * Free the old list.
-		 */
+	if (ret == 0 || ret == ECGNOVERSIONCONVERT) {
+		struct cgroup **old_list = *cgrp_list;
+
+		/* Conversion succeeded: drop old list and publish the new one. */
 		for (i = 0; i < cgrp_list_len; i++)
-			cgroup_free(&(*cgrp_list)[i]);
+			cgroup_free(&old_list[i]);
+		free(old_list);
 
 		*cgrp_list = cgrp_converted_list;
+	} else if (cgrp_converted_list) {
+		for (j = 0; j < cgrp_list_len; j++) {
+			if (cgrp_converted_list[j])
+				cgroup_free(&(cgrp_converted_list[j]));
+		}
+		free(cgrp_converted_list);
 	}
 
 	return ret;
