* [PATCH] tools lib traceevent: Fix double free in event_read_fields()
@ 2022-10-17 8:59 Shang XiaoJing
2022-10-20 21:23 ` Steven Rostedt
0 siblings, 1 reply; 3+ messages in thread
From: Shang XiaoJing @ 2022-10-17 8:59 UTC (permalink / raw)
To: rostedt, acme, linux-kernel; +Cc: namhyung, shangxiaojing
There is a double free in event_read_fields(). After calling free_token()
to free the token, if append() failed, then goto fail, which will call
free_token() again. Triggered by compiling with perf and run "perf sched
record". Fix the double free by goto fail_expect instead of fail while
append() failed, which won't call redundant free_token().
BUG: double free
free(): double free detected in tcache 2
Aborted
Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
---
tools/lib/traceevent/event-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
index 8e24c4c78c7f..e0a5a22fe702 100644
--- a/tools/lib/traceevent/event-parse.c
+++ b/tools/lib/traceevent/event-parse.c
@@ -1594,7 +1594,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field **
ret = append(&brackets, "", "]");
if (ret < 0) {
free(brackets);
- goto fail;
+ goto fail_expect;
}
/* add brackets to type */
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] tools lib traceevent: Fix double free in event_read_fields()
2022-10-17 8:59 [PATCH] tools lib traceevent: Fix double free in event_read_fields() Shang XiaoJing
@ 2022-10-20 21:23 ` Steven Rostedt
2022-10-21 1:01 ` shangxiaojing
0 siblings, 1 reply; 3+ messages in thread
From: Steven Rostedt @ 2022-10-20 21:23 UTC (permalink / raw)
To: Shang XiaoJing; +Cc: acme, linux-kernel, namhyung
On Mon, 17 Oct 2022 16:59:37 +0800
Shang XiaoJing <shangxiaojing@huawei.com> wrote:
> There is a double free in event_read_fields(). After calling free_token()
> to free the token, if append() failed, then goto fail, which will call
> free_token() again. Triggered by compiling with perf and run "perf sched
> record". Fix the double free by goto fail_expect instead of fail while
> append() failed, which won't call redundant free_token().
>
> BUG: double free
> free(): double free detected in tcache 2
> Aborted
>
> Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
> Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
> ---
> tools/lib/traceevent/event-parse.c | 2 +-
tool/lib/traceevent is deprecated.
Can you send this patch to linux-trace-devel@vger.kernel.org against
https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/
Thanks!
-- Steve
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
> index 8e24c4c78c7f..e0a5a22fe702 100644
> --- a/tools/lib/traceevent/event-parse.c
> +++ b/tools/lib/traceevent/event-parse.c
> @@ -1594,7 +1594,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field **
> ret = append(&brackets, "", "]");
> if (ret < 0) {
> free(brackets);
> - goto fail;
> + goto fail_expect;
> }
>
> /* add brackets to type */
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] tools lib traceevent: Fix double free in event_read_fields()
2022-10-20 21:23 ` Steven Rostedt
@ 2022-10-21 1:01 ` shangxiaojing
0 siblings, 0 replies; 3+ messages in thread
From: shangxiaojing @ 2022-10-21 1:01 UTC (permalink / raw)
To: Steven Rostedt; +Cc: acme, linux-kernel, namhyung
On 2022/10/21 5:23, Steven Rostedt wrote:
> On Mon, 17 Oct 2022 16:59:37 +0800
> Shang XiaoJing <shangxiaojing@huawei.com> wrote:
>
>> There is a double free in event_read_fields(). After calling free_token()
>> to free the token, if append() failed, then goto fail, which will call
>> free_token() again. Triggered by compiling with perf and run "perf sched
>> record". Fix the double free by goto fail_expect instead of fail while
>> append() failed, which won't call redundant free_token().
>>
>> BUG: double free
>> free(): double free detected in tcache 2
>> Aborted
>>
>> Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
>> Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
>> ---
>> tools/lib/traceevent/event-parse.c | 2 +-
>
> tool/lib/traceevent is deprecated.
>
> Can you send this patch to linux-trace-devel@vger.kernel.org against
>
> https://git.kernel.org/pub/scm/libs/libtrace/libtraceevent.git/
>
ok, thanks for the reminder.
Thanks,
--
Shang XiaoJing
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-21 1:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-17 8:59 [PATCH] tools lib traceevent: Fix double free in event_read_fields() Shang XiaoJing
2022-10-20 21:23 ` Steven Rostedt
2022-10-21 1:01 ` shangxiaojing
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).