linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] tools lib traceevent: Fix double free in event_read_fields()
@ 2022-10-17  8:59 Shang XiaoJing
  2022-10-20 21:23 ` Steven Rostedt
  0 siblings, 1 reply; 3+ messages in thread
From: Shang XiaoJing @ 2022-10-17  8:59 UTC (permalink / raw)
  To: rostedt, acme, linux-kernel; +Cc: namhyung, shangxiaojing

There is a double free in event_read_fields(). After calling free_token()
to free the token, if append() failed, then goto fail, which will call
free_token() again. Triggered by compiling with perf and run "perf sched
record". Fix the double free by goto fail_expect instead of fail while
append() failed, which won't call redundant free_token().

BUG: double free
free(): double free detected in tcache 2
Aborted

Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
---
 tools/lib/traceevent/event-parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
index 8e24c4c78c7f..e0a5a22fe702 100644
--- a/tools/lib/traceevent/event-parse.c
+++ b/tools/lib/traceevent/event-parse.c
@@ -1594,7 +1594,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field **
 			ret = append(&brackets, "", "]");
 			if (ret < 0) {
 				free(brackets);
-				goto fail;
+				goto fail_expect;
 			}
 
 			/* add brackets to type */
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] tools lib traceevent: Fix double free in event_read_fields()
  2022-10-17  8:59 [PATCH] tools lib traceevent: Fix double free in event_read_fields() Shang XiaoJing
@ 2022-10-20 21:23 ` Steven Rostedt
  2022-10-21  1:01   ` shangxiaojing
  0 siblings, 1 reply; 3+ messages in thread
From: Steven Rostedt @ 2022-10-20 21:23 UTC (permalink / raw)
  To: Shang XiaoJing; +Cc: acme, linux-kernel, namhyung

On Mon, 17 Oct 2022 16:59:37 +0800
Shang XiaoJing <shangxiaojing@huawei.com> wrote:

> There is a double free in event_read_fields(). After calling free_token()
> to free the token, if append() failed, then goto fail, which will call
> free_token() again. Triggered by compiling with perf and run "perf sched
> record". Fix the double free by goto fail_expect instead of fail while
> append() failed, which won't call redundant free_token().
> 
> BUG: double free
> free(): double free detected in tcache 2
> Aborted
> 
> Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
> Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
> ---
>  tools/lib/traceevent/event-parse.c | 2 +-

tool/lib/traceevent is deprecated.

Can you send this patch to linux-trace-devel@vger.kernel.org against

  https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/

Thanks!

-- Steve


>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
> index 8e24c4c78c7f..e0a5a22fe702 100644
> --- a/tools/lib/traceevent/event-parse.c
> +++ b/tools/lib/traceevent/event-parse.c
> @@ -1594,7 +1594,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field **
>  			ret = append(&brackets, "", "]");
>  			if (ret < 0) {
>  				free(brackets);
> -				goto fail;
> +				goto fail_expect;
>  			}
>  
>  			/* add brackets to type */


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] tools lib traceevent: Fix double free in event_read_fields()
  2022-10-20 21:23 ` Steven Rostedt
@ 2022-10-21  1:01   ` shangxiaojing
  0 siblings, 0 replies; 3+ messages in thread
From: shangxiaojing @ 2022-10-21  1:01 UTC (permalink / raw)
  To: Steven Rostedt; +Cc: acme, linux-kernel, namhyung



On 2022/10/21 5:23, Steven Rostedt wrote:
> On Mon, 17 Oct 2022 16:59:37 +0800
> Shang XiaoJing <shangxiaojing@huawei.com> wrote:
> 
>> There is a double free in event_read_fields(). After calling free_token()
>> to free the token, if append() failed, then goto fail, which will call
>> free_token() again. Triggered by compiling with perf and run "perf sched
>> record". Fix the double free by goto fail_expect instead of fail while
>> append() failed, which won't call redundant free_token().
>>
>> BUG: double free
>> free(): double free detected in tcache 2
>> Aborted
>>
>> Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
>> Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
>> ---
>>   tools/lib/traceevent/event-parse.c | 2 +-
> 
> tool/lib/traceevent is deprecated.
> 
> Can you send this patch to linux-trace-devel@vger.kernel.org against
> 
>    https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/
> 
ok, thanks for the reminder.

Thanks,
-- 
Shang XiaoJing

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-21  1:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-17  8:59 [PATCH] tools lib traceevent: Fix double free in event_read_fields() Shang XiaoJing
2022-10-20 21:23 ` Steven Rostedt
2022-10-21  1:01   ` shangxiaojing

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).