Fix potential memory leaks in RingBufferBuilder::build()

d-e-s-o · danielocfb · commit aa060c0f40bf · 2024-08-06T11:00:11.000-07:00
When we build up a RingBuffer object via the RingBufferBuilder::build() function, we may leak memory on error paths, because of the usage of raw pointers. Fix the issue by: 1) stop converting boxes into raw pointers to begin with, which should be fine given that libbpf does not actually dereference the sample callback pointer in ring_buffer__new() or ring_buffer__add(). 2) properly freeing the ring buffer if we return early because we failed to successfully add a callback. Closes: #862 Signed-off-by: Daniel Müller <deso@posteo.net>
diff --git a/libbpf-rs/CHANGELOG.md b/libbpf-rs/CHANGELOG.md
@@ -22,6 +22,7 @@ Unreleased
 - Adjusted `OpenMap::set_inner_map_fd` to return `Result`
 - Adjusted `ProgramInput::context_in` field to be a mutable reference
 - Made inner `query::Tag` contents publicly accessible
+- Fixed potential memory leak in `RingBufferBuilder::build`
 - Removed `Display` implementation of various `enum` types
 
 
diff --git a/libbpf-rs/src/ringbuf.rs b/libbpf-rs/src/ringbuf.rs
@@ -3,6 +3,7 @@ use std::fmt::Debug;
 use std::fmt::Formatter;
 use std::fmt::Result as FmtResult;
 use std::ops::Deref as _;
+use std::ops::DerefMut as _;
 use std::os::raw::c_ulong;
 use std::os::unix::prelude::AsRawFd;
 use std::os::unix::prelude::BorrowedFd;
@@ -89,40 +90,48 @@ impl<'slf, 'cb: 'slf> RingBufferBuilder<'slf, 'cb> {
         let c_sample_cb: libbpf_sys::ring_buffer_sample_fn = Some(Self::call_sample_cb);
 
         for (fd, callback) in self.fd_callbacks {
-            let sample_cb_ptr = Box::into_raw(Box::new(callback));
+            let mut sample_cb = Box::new(callback);
             match rb_ptr {
                 None => {
                     // Allocate a new ringbuf manager and add a ringbuf to it
+                    // SAFETY: All pointers are valid or rightly NULL.
+                    //         The object referenced by `sample_cb` is
+                    //         not modified by `libbpf`
                     let ptr = unsafe {
                         libbpf_sys::ring_buffer__new(
                             fd.as_raw_fd(),
                             c_sample_cb,
-                            sample_cb_ptr as *mut _,
+                            sample_cb.deref_mut() as *mut _ as *mut _,
                             null_mut(),
                         )
                     };
                     let ptr = validate_bpf_ret(ptr).context("failed to create new ring buffer")?;
                     rb_ptr = Some(ptr)
                 }
-                Some(ptr) => {
+                Some(mut ptr) => {
                     // Add a ringbuf to the existing ringbuf manager
+                    // SAFETY: All pointers are valid or rightly NULL.
+                    //         The object referenced by `sample_cb` is
+                    //         not modified by `libbpf`
                     let err = unsafe {
                         libbpf_sys::ring_buffer__add(
                             ptr.as_ptr(),
                             fd.as_raw_fd(),
                             c_sample_cb,
-                            sample_cb_ptr as *mut _,
+                            sample_cb.deref_mut() as *mut _ as *mut _,
                         )
                     };
 
                     // Handle errors
                     if err != 0 {
+                        // SAFETY: The pointer is valid.
+                        let () = unsafe { libbpf_sys::ring_buffer__free(ptr.as_mut()) };
                         return Err(Error::from_raw_os_error(err));
                     }
                 }
             }
 
-            unsafe { cbs.push(Box::from_raw(sample_cb_ptr)) };
+            let () = cbs.push(sample_cb);
         }
 
         match rb_ptr {
