[PATCH 6/6] subcmd: fix memory leak in parse_options_subcommand

Linux Perf Users
 help / color / mirror / Atom feed

From: Wang Haoran <haoranwangsec@gmail.com>
To: acme@kernel.org
Cc: peterz@infradead.org, mingo@redhat.com, namhyung@kernel.org,
	mark.rutland@arm.com, alexander.shishkin@linux.intel.com,
	linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org,
	haoranwangsec@gmail.com
Subject: [PATCH 6/6] subcmd: fix memory leak in parse_options_subcommand
Date: Fri, 29 May 2026 14:50:45 +0800	[thread overview]
Message-ID: <178003744574.62097.15841011812312422288@gmail.com> (raw)
In-Reply-To: <178003738371.62097.10360938456907564684@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3077 bytes --]

>From 9e71ffe9400fd54c4fc958b16229e5628271e4ad Mon Sep 17 00:00:00 2001
From: Wang Haoran <haoranwangsec@gmail.com>
Date: Thu, 28 May 2026 15:18:33 +0800
Subject: [PATCH 6/6] subcmd: fix memory leak in parse_options_subcommand

When subcommands are present and no usage string has been provided,
parse_options_subcommand() builds a usage string via astrcat() and
stores it in usagestr[0], but never frees it.  The allocation leaks
on every normal return path.

Move the buf pointer to function scope and free it before returning.

Fixes: <parse_options_subcommand>
Signed-off-by: Wang Haoran <haoranwangsec@gmail.com>
---
 tools/lib/subcmd/parse-options.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/lib/subcmd/parse-options.c b/tools/lib/subcmd/parse-options.c
index 555d617c1..1eb8053e8 100644
--- a/tools/lib/subcmd/parse-options.c
+++ b/tools/lib/subcmd/parse-options.c
@@ -633,10 +633,10 @@ int parse_options_subcommand(int argc, const char **argv, const struct option *o
 			const char *const subcommands[], const char *usagestr[], int flags)
 {
 	struct parse_opt_ctx_t ctx;
+	char *buf = NULL;
 
 	/* build usage string if it's not provided */
 	if (subcommands && !usagestr[0]) {
-		char *buf = NULL;
 
 		astrcatf(&buf, "%s %s [<options>] {", subcmd_config.exec_name, argv[0]);
 
@@ -680,6 +680,7 @@ int parse_options_subcommand(int argc, const char **argv, const struct option *o
 		usage_with_options(usagestr, options);
 	}
 
+	free(buf);
 	return parse_options_end(&ctx);
 }
 
-- 
2.53.0



---
ASan output on perf 7.0.6 (unpatched) with the attached PoC:

Perf file header corrupt: header overlaps attrs
incompatible file format (rerun with -v to learn more)
Perf session creation failed.

=================================================================
==55949==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 73 byte(s) in 1 object(s) allocated from:
    #0 0x77ab3032b60f in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:67
    #1 0x77ab2ee96e6e in __vasprintf_internal libio/vasprintf.c:116
    #2 0x77ab2ef43172 in ___asprintf_chk debug/asprintf_chk.c:34
    #3 0x568d03932ee3 in asprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:206
    #4 0x568d03932ee3 in astrcat 
    #5 0x568d03932ee3 in parse_options_subcommand 
    #6 0x568d038cdef0 in cmd_sched (perf+0x33eef0) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #7 0x568d0391287f in handle_internal_command (perf+0x38387f) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #8 0x568d03785836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #9 0x77ab2ee2a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:59
    #10 0x77ab2ee2a717 in __libc_start_main_impl ../csu/libc-start.c:360
    #11 0x568d0378d754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)

Objects leaked above:
0x741b2e1e0800 (73 bytes)

SUMMARY: AddressSanitizer: 73 byte(s) leaked in 1 allocation(s).

[-- Attachment #2: crash_err255_iter46.data --]
[-- Type: application/octet-stream, Size: 4760 bytes --]

     prev parent reply	other threads:[~2026-05-29  6:50 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29  6:49 [PATCH 0/6] perf: fix six memory-safety vulnerabilities in sched/header/subcmd Wang Haoran
2026-05-29  6:49 ` [PATCH 1/6] perf/sched: fix memory leaks in schedstat processing Wang Haoran
2026-05-29  6:50 ` [PATCH 2/6] perf/header: validate bitmap size before allocation in do_read_bitmap Wang Haoran
2026-05-29  6:50 ` [PATCH 3/6] perf/header: reject data offset beyond file size Wang Haoran
2026-05-29  6:50 ` [PATCH 4/6] perf/header: add bounds check for domain index in process_cpu_domain_info Wang Haoran
2026-05-29  6:50 ` [PATCH 5/6] perf/sched: replace list_first_entry with list_first_entry_or_null Wang Haoran
2026-05-29  6:50 ` Wang Haoran [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:555d617c dfblob:1eb8053e )
 OR (
bs:"subcmd: fix memory leak in parse_options_subcommand" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178003744574.62097.15841011812312422288@gmail.com \
    --to=haoranwangsec@gmail.com \
    --cc=acme@kernel.org \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@redhat.com \
    --cc=namhyung@kernel.org \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox