SAST Potential resource leaks

[arinochk]

The static analyzer has identified several instances of potential resource leaks.

In notify_socket.go L180, a bidirectional read-write pipe is opened. If the function exits at line 188, this pipe is not closed.

In libcontainer/init_linux.go L192, a file descriptor fifoFile is opened. The function returns at line 199 without closing the allocated resource.

In libcontainer/process_linux.go L74, when the NewSockPair function is called, it creates file descriptors which are stored in comm.initSockParent and comm.initSockChild. If the function returns early at lines 80 or 84, these file descriptors are not closed, as the function returns nil. The same applies to comm.syncSockParent and comm.syncSockChild created at line 78.

In mount_linux.go#L287, a file descriptor mountFile is created. The function then returns at lines 298, 303, and 325 without closing the allocated resources.

Could you please confirm if these are indeed genuine resource leaks?

[kolyshkin]

From the first glance they all look legit, the mitigating factors here are

• these errors paths are rare;
• this code is mostly used by runc which is a short-lived binary so all fds are closed once it exits.

Thank you for reporting it, I opened #5009 to fix.