From deffa393961d9bb5243333ebf026d0dad84393dd Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 6 Feb 2024 11:47:23 +0100
Subject: [PATCH 1/6] cgroup: fix leak of cpus/mems string buffer

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/cgroup-setup.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/libcrun/cgroup-setup.c b/src/libcrun/cgroup-setup.c
index 517be900a..25b572587 100644
--- a/src/libcrun/cgroup-setup.c
+++ b/src/libcrun/cgroup-setup.c
@@ -42,6 +42,8 @@
 static int
 initialize_cpuset_subsystem_rec (char *path, size_t path_len, char *cpus, char *mems, runtime_spec_schema_config_linux_resources *resources, libcrun_error_t *err)
 {
+  cleanup_free char *allocated_cpus = NULL;
+  cleanup_free char *allocated_mems = NULL;
   cleanup_close int dirfd = -1;
   cleanup_close int mems_fd = -1;
   cleanup_close int cpus_fd = -1;
@@ -118,9 +120,9 @@ initialize_cpuset_subsystem_rec (char *path, size_t path_len, char *cpus, char *
   if (resources && resources->cpu)
     {
       if (resources->cpu->cpus && ! has_cpus)
-        cpus = xstrdup (resources->cpu->cpus);
+        cpus = allocated_cpus = xstrdup (resources->cpu->cpus);
       if (resources->cpu->mems && ! has_mems)
-        mems = xstrdup (resources->cpu->mems);
+        mems = allocated_mems = xstrdup (resources->cpu->mems);
     }
 
   /* Finally, if we have a fd to populate, write the value chosen. If we have a value from the resources struct to base it off of,

From 242bb34cee09e9c48d9d01222af00eb3a009935a Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 6 Feb 2024 11:49:14 +0100
Subject: [PATCH 2/6] cgroup: do not leak dirfd

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/cgroup-systemd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libcrun/cgroup-systemd.c b/src/libcrun/cgroup-systemd.c
index 7d85a8dca..83ae93b32 100644
--- a/src/libcrun/cgroup-systemd.c
+++ b/src/libcrun/cgroup-systemd.c
@@ -206,7 +206,6 @@ static int
 setup_missing_cpu_options_for_systemd (runtime_spec_schema_config_linux_resources *resources, bool cgroup2, const char *path, libcrun_error_t *err)
 {
   cleanup_free char *cgroup_path = NULL;
-  cleanup_close int dirfd = -1;
   int parent;
   int ret;
 
@@ -218,6 +217,8 @@ setup_missing_cpu_options_for_systemd (runtime_spec_schema_config_linux_resource
 
   for (parent = 0; parent < 2; parent++)
     {
+      cleanup_close int dirfd = -1;
+
       if (cgroup2)
         ret = append_paths (&cgroup_path, err, CGROUP_ROOT, path ? path : "", (parent ? ".." : NULL), NULL);
       else

From e72f3bced14a0b7bc3a9a03bad824157875969bb Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 6 Feb 2024 11:58:47 +0100
Subject: [PATCH 3/6] container: fix leak of mount_options_list

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/container.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index 5a734a0b0..8424471b6 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -3913,7 +3913,7 @@ populate_capabilities (struct features_info_s *info, char ***capabilities, size_
 static void
 retrieve_mount_options (struct features_info_s **info)
 {
-  const struct propagation_flags_s *mount_options_list;
+  cleanup_free const struct propagation_flags_s *mount_options_list = NULL;
   size_t num_mount_options = 0;
 
   // Retrieve mount options from wordlist

From 1716fdeb9a4ff048e9158bd4f06a1beac69cf72f Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 6 Feb 2024 12:00:03 +0100
Subject: [PATCH 4/6] container: do not leak version_string

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/container.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index 8424471b6..5091e2d99 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -4000,7 +4000,7 @@ libcrun_container_get_features (libcrun_context_t *context, struct features_info
     int size = snprintf (NULL, 0, "%u.%u.%u", version->major, version->minor, version->micro) + 1;
     char *version_string = xmalloc0 (size);
     snprintf (version_string, size, "%u.%u.%u", version->major, version->minor, version->micro);
-    (*info)->annotations.io_github_seccomp_libseccomp_version = xstrdup (version_string);
+    (*info)->annotations.io_github_seccomp_libseccomp_version = version_string;
   }
 #endif
 

From 31b08fc928aa5f896854624a214f7c7aeb40a836 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 6 Feb 2024 12:00:58 +0100
Subject: [PATCH 5/6] container: do not leak capabilities buffer

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/container.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
index 5091e2d99..1c4c71f58 100644
--- a/src/libcrun/container.c
+++ b/src/libcrun/container.c
@@ -3940,8 +3940,8 @@ libcrun_container_get_features (libcrun_context_t *context, struct features_info
   size_t num_actions = sizeof (actions) / sizeof (actions[0]);
   size_t num_hooks = sizeof (hooks) / sizeof (hooks[0]);
   size_t num_archs = sizeof (archs) / sizeof (archs[0]);
+  cleanup_free char **capabilities = NULL;
   size_t num_capabilities = 0;
-  char **capabilities = NULL;
 
   *info = xmalloc0 (sizeof (struct features_info_s));
 

From fdb41c3a689339d502333c6252dfc1b544589776 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 6 Feb 2024 12:23:11 +0100
Subject: [PATCH 6/6] linux: initialize options variable

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
index 772a0dd0f..e27793604 100644
--- a/src/libcrun/linux.c
+++ b/src/libcrun/linux.c
@@ -4020,7 +4020,7 @@ maybe_get_idmapped_mount (runtime_spec_schema_config_schema *def, runtime_spec_s
   cleanup_close int fd = -1;
   const char *idmap_option;
   bool recursive = false;
-  const char *options;
+  const char *options = NULL;
   char proc_path[64];
   bool has_mappings;
   int ret;