| Message ID | 20221017085937.8583-1-shangxiaojing@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp1341903wrs;
Mon, 17 Oct 2022 02:01:41 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM7IpeFUzDoMe5bN7RebyKFsjxzJH8qao9EXgUAAwmzbLssiw6AbPpoqSYo5fWRWkswQvT4x
X-Received: by 2002:a17:907:6d9b:b0:78d:ce6a:3300 with SMTP id
sb27-20020a1709076d9b00b0078dce6a3300mr7554862ejc.91.1665997301478;
Mon, 17 Oct 2022 02:01:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665997301; cv=none;
d=google.com; s=arc-20160816;
b=oZ4T5hpH0FWIl4ZCEQmx6WeR4sub5b2qxkY6XYhidWkFfzyCFqmiIGTHduR5pi9urx
SFBSV+Y/BEWvQXwRrCtZlA4dsV39fWaHkIq0LCO464r4GnNvHMb44LHAQvlTna3mmaP4
WMLPw+ksOLqmB+GWk9O16qozSGZ3IkfCs9xNgh8WiKup6vv/dM9D/qXchgg2EdjX66Xk
Rr++S3WVJPSq8tWL0WKkufuK9T25OLLXHCx9jYi8vJjYgzMp7sOC3DMvJ83MtrEZ0RtA
5YMCpGxRBI2QWDH2+gHlqoBNoHC7iZDPtR4ej2xzHJ4kqN+OlahKfgqPFP65pzVCOQ/W
CJEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
bh=xS9h+83SJakMuK5aeaj9DUw3UXXLiFxycEAA2IHmCxs=;
b=VNHFI1lpqjg88OfYV0LDlJV4Ug+n5B3iO31qhZachaSuIUUtRCmVjUfq7TxfisS0lg
MDcP9CEyG/fibO2GLnu5U+CT7DFsZKTfdQXr3RYCKZvM/D8fev/uNHTOK2I3ZYxpdqD/
MHnArivfc+I1ovyCImvTNlXfeeXWLnrR21TqdTbGQQywrQAjG66UuIJoRx2ZVuFObAZh
Dg/z6ATfgvQgWhXqJnkj1loKzMWpUi0Ec3RvfgXDrAd6F/tzysnFKiYrvKI2CSgK5PMw
WS2fz9SgI224wbzEOprlJLlRPwXmcnXiR7l1odtEiFnYlk+Dci4l7kOLw3t5KtrcpKGB
TC8w==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
o16-20020aa7c510000000b0045c2a0de3ddsi7710705edq.150.2022.10.17.02.01.15;
Mon, 17 Oct 2022 02:01:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230317AbiJQJAs (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others);
Mon, 17 Oct 2022 05:00:48 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56228 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230435AbiJQJA0 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 17 Oct 2022 05:00:26 -0400
Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3205D1C429
for <linux-kernel@vger.kernel.org>;
Mon, 17 Oct 2022 02:00:19 -0700 (PDT)
Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.55])
by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4MrW6c6SnXz1P7DS;
Mon, 17 Oct 2022 16:55:36 +0800 (CST)
Received: from kwepemm600008.china.huawei.com (7.193.23.88) by
dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2375.31; Mon, 17 Oct 2022 17:00:17 +0800
Received: from huawei.com (10.175.100.227) by kwepemm600008.china.huawei.com
(7.193.23.88) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 17 Oct
2022 17:00:17 +0800
From: Shang XiaoJing <shangxiaojing@huawei.com>
To: <rostedt@goodmis.org>, <acme@redhat.com>,
<linux-kernel@vger.kernel.org>
CC: <namhyung@kernel.org>, <shangxiaojing@huawei.com>
Subject: [PATCH] tools lib traceevent: Fix double free in event_read_fields()
Date: Mon, 17 Oct 2022 16:59:37 +0800
Message-ID: <20221017085937.8583-1-shangxiaojing@huawei.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.100.227]
X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To
kwepemm600008.china.huawei.com (7.193.23.88)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1746924786463575177?=
X-GMAIL-MSGID: =?utf-8?q?1746924786463575177?=
|
| Series |
tools lib traceevent: Fix double free in event_read_fields()
|
|
Commit Message
Shang XiaoJing
Oct. 17, 2022, 8:59 a.m. UTC
There is a double free in event_read_fields(). After calling free_token()
to free the token, if append() failed, then goto fail, which will call
free_token() again. Triggered by compiling with perf and run "perf sched
record". Fix the double free by goto fail_expect instead of fail while
append() failed, which won't call redundant free_token().
BUG: double free
free(): double free detected in tcache 2
Aborted
Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
---
tools/lib/traceevent/event-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Mon, 17 Oct 2022 16:59:37 +0800 Shang XiaoJing <shangxiaojing@huawei.com> wrote: > There is a double free in event_read_fields(). After calling free_token() > to free the token, if append() failed, then goto fail, which will call > free_token() again. Triggered by compiling with perf and run "perf sched > record". Fix the double free by goto fail_expect instead of fail while > append() failed, which won't call redundant free_token(). > > BUG: double free > free(): double free detected in tcache 2 > Aborted > > Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path") > Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com> > --- > tools/lib/traceevent/event-parse.c | 2 +- tool/lib/traceevent is deprecated. Can you send this patch to linux-trace-devel@vger.kernel.org against https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/ Thanks! -- Steve > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c > index 8e24c4c78c7f..e0a5a22fe702 100644 > --- a/tools/lib/traceevent/event-parse.c > +++ b/tools/lib/traceevent/event-parse.c > @@ -1594,7 +1594,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field ** > ret = append(&brackets, "", "]"); > if (ret < 0) { > free(brackets); > - goto fail; > + goto fail_expect; > } > > /* add brackets to type */
On 2022/10/21 5:23, Steven Rostedt wrote: > On Mon, 17 Oct 2022 16:59:37 +0800 > Shang XiaoJing <shangxiaojing@huawei.com> wrote: > >> There is a double free in event_read_fields(). After calling free_token() >> to free the token, if append() failed, then goto fail, which will call >> free_token() again. Triggered by compiling with perf and run "perf sched >> record". Fix the double free by goto fail_expect instead of fail while >> append() failed, which won't call redundant free_token(). >> >> BUG: double free >> free(): double free detected in tcache 2 >> Aborted >> >> Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path") >> Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com> >> --- >> tools/lib/traceevent/event-parse.c | 2 +- > > tool/lib/traceevent is deprecated. > > Can you send this patch to linux-trace-devel@vger.kernel.org against > > https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/ > ok, thanks for the reminder. Thanks,
diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c index 8e24c4c78c7f..e0a5a22fe702 100644 --- a/tools/lib/traceevent/event-parse.c +++ b/tools/lib/traceevent/event-parse.c @@ -1594,7 +1594,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field ** ret = append(&brackets, "", "]"); if (ret < 0) { free(brackets); - goto fail; + goto fail_expect; } /* add brackets to type */