All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/3] libtracefs: Some fixes for sqlhis
@ 2022-08-19  2:03 Steven Rostedt
  2022-08-19  2:03 ` [PATCH 1/3] libtracefs: Fix use after free in tracefs_synth_alloc() Steven Rostedt
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Steven Rostedt @ 2022-08-19  2:03 UTC (permalink / raw)
  To: linux-trace-devel; +Cc: Steven Rostedt (Google)

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

While playing with sqlhist, I found three bugs.

 Two dealing with freeing issues.

 One where the matching is more restrictive than the kernel.

Steven Rostedt (Google) (3):
  libtracefs: Fix use after free in tracefs_synth_alloc()
  libtracefs: Remove double free attempt of new_event in
    tracefs_synth_echo_cmd()
  libtracefs sqlhist: Allow pointers to match longs

 src/tracefs-hist.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

-- 
2.35.1


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/3] libtracefs: Fix use after free in tracefs_synth_alloc()
  2022-08-19  2:03 [PATCH 0/3] libtracefs: Some fixes for sqlhis Steven Rostedt
@ 2022-08-19  2:03 ` Steven Rostedt
  2022-08-19  2:03 ` [PATCH 2/3] libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd() Steven Rostedt
  2022-08-19  2:03 ` [PATCH 3/3] libtracefs sqlhist: Allow pointers to match longs Steven Rostedt
  2 siblings, 0 replies; 4+ messages in thread
From: Steven Rostedt @ 2022-08-19  2:03 UTC (permalink / raw)
  To: linux-trace-devel; +Cc: Steven Rostedt (Google)

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

The synth new_format is set after the error condition is checked and the
synth is freed (on error), causing a SIGSEV when that occurs.

Fixes: 74a6754b9e67b ("libtracefs: Check README to know if we should do old onmatch format")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 src/tracefs-hist.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/tracefs-hist.c b/src/tracefs-hist.c
index 2f12cc471294..6f7d657bd404 100644
--- a/src/tracefs-hist.c
+++ b/src/tracefs-hist.c
@@ -1091,9 +1091,8 @@ struct tracefs_synth *tracefs_synth_alloc(struct tep_handle *tep,
 	if (!synth->name || !synth->start_keys || !synth->end_keys || ret) {
 		tracefs_synth_free(synth);
 		synth = NULL;
-	}
-
-	synth->new_format = has_new_format();
+	} else
+		synth->new_format = has_new_format();
 
 	return synth;
 }
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/3] libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd()
  2022-08-19  2:03 [PATCH 0/3] libtracefs: Some fixes for sqlhis Steven Rostedt
  2022-08-19  2:03 ` [PATCH 1/3] libtracefs: Fix use after free in tracefs_synth_alloc() Steven Rostedt
@ 2022-08-19  2:03 ` Steven Rostedt
  2022-08-19  2:03 ` [PATCH 3/3] libtracefs sqlhist: Allow pointers to match longs Steven Rostedt
  2 siblings, 0 replies; 4+ messages in thread
From: Steven Rostedt @ 2022-08-19  2:03 UTC (permalink / raw)
  To: linux-trace-devel; +Cc: Steven Rostedt (Google)

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

The "out_free" path frees the synth->dyn_event if new_event is set, but it
is also freed in the success path (that falls through into the out_free
path). The only reason this did not crash is because both cases set the
"synth->dyn_event" to NULL, where the second attempt to free it does
nothing. But this is still a bug.

Fixes: d7c5dbb7a231e ("libtracefs: Use the internal dynamic events API when creating synthetic events")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 src/tracefs-hist.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/src/tracefs-hist.c b/src/tracefs-hist.c
index 6f7d657bd404..302b9a75e6ee 100644
--- a/src/tracefs-hist.c
+++ b/src/tracefs-hist.c
@@ -2311,11 +2311,6 @@ int tracefs_synth_echo_cmd(struct trace_seq *seq,
 			 hist, path, synth->end_event->system,
 			 synth->end_event->name);
 
-	if (new_event) {
-		tracefs_dynevent_free(synth->dyn_event);
-		synth->dyn_event = NULL;
-	}
-
 	ret = 0;
  out_free:
 	free(hist);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 3/3] libtracefs sqlhist: Allow pointers to match longs
  2022-08-19  2:03 [PATCH 0/3] libtracefs: Some fixes for sqlhis Steven Rostedt
  2022-08-19  2:03 ` [PATCH 1/3] libtracefs: Fix use after free in tracefs_synth_alloc() Steven Rostedt
  2022-08-19  2:03 ` [PATCH 2/3] libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd() Steven Rostedt
@ 2022-08-19  2:03 ` Steven Rostedt
  2 siblings, 0 replies; 4+ messages in thread
From: Steven Rostedt @ 2022-08-19  2:03 UTC (permalink / raw)
  To: linux-trace-devel; +Cc: Steven Rostedt (Google)

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

Currently, if a field that is a long tries to match a field that is a
pointer, tracefs_sqlhist() will fail with incompatible fields. But the
kernel will still allow it to match, do not fail here.

Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 src/tracefs-hist.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/tracefs-hist.c b/src/tracefs-hist.c
index 302b9a75e6ee..14988d8dc185 100644
--- a/src/tracefs-hist.c
+++ b/src/tracefs-hist.c
@@ -796,6 +796,7 @@ static bool verify_event_fields(struct tep_event *start_event,
 {
 	const struct tep_format_field *start_field;
 	const struct tep_format_field *end_field;
+	int start_flags, end_flags;
 
 	if (!trace_verify_event_field(start_event, start_field_name,
 				      &start_field))
@@ -806,7 +807,11 @@ static bool verify_event_fields(struct tep_event *start_event,
 					      &end_field))
 			return false;
 
-		if (start_field->flags != end_field->flags ||
+		/* A pointer can still match a long */
+		start_flags = start_field->flags & ~TEP_FIELD_IS_POINTER;
+		end_flags = end_field->flags & ~TEP_FIELD_IS_POINTER;
+
+		if (start_flags != end_flags ||
 		    start_field->size != end_field->size) {
 			errno = EBADE;
 			return false;
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-08-19  2:03 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-19  2:03 [PATCH 0/3] libtracefs: Some fixes for sqlhis Steven Rostedt
2022-08-19  2:03 ` [PATCH 1/3] libtracefs: Fix use after free in tracefs_synth_alloc() Steven Rostedt
2022-08-19  2:03 ` [PATCH 2/3] libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd() Steven Rostedt
2022-08-19  2:03 ` [PATCH 3/3] libtracefs sqlhist: Allow pointers to match longs Steven Rostedt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.