* [PATCH] fix double free issue in event_read_print_args
@ 2024-06-27 6:51 Totoro W
2024-06-28 15:35 ` Steven Rostedt
0 siblings, 1 reply; 4+ messages in thread
From: Totoro W @ 2024-06-27 6:51 UTC (permalink / raw)
To: linux-trace-devel
commit cb227dfc63346a23fd019f2146b4f9f4f5a58b6a (HEAD -> fix_double_free)
Author: Tw <tw19881113@gmail.com>
Date: Thu Jun 27 14:40:09 2024 +0800
Fix double free issue in event_read_print_args
The corner case is that when we encounter a invalid right argument
of a condition operation.
Currently, we free token immediately, but it will also be freed
when free `arg->op.op`.
BTW, the crash calltrace as follows:
Program received signal SIGSEGV, Segmentation fault.
get_meta (p=<optimized out>) at
/home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/meta.h:141
141 /home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/meta.h:
No such file or directory.
(gdb) bt
at /home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/meta.h:141
at /home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/free.c:105
at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:1128
list@entry=0x7ff7b18768)
at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:1417
at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:3895
sys=<optimized out>)
at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:7824
size=<optimized out>, sys=sys@entry=0x7ff7ff51c0 "kvm")
at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:7882
buf=0x7ff7b0c610 "kvm_sys_access", size=549616874800,
sys=0x7fffffe0b2 "me", sys@entry=0x7ff7ff51c0 "kvm")
at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:7945
tracing_dir=tracing_dir@entry=0x7ff7ffc660
"/sys/kernel/tracing", system=system@entry=0x7ff7ff51c0 "kvm",
check=false)
at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1062
system=0x7ff7ff51c0 "kvm")
at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1084
tep=tep@entry=0x7ff7ffc830, sys_names=sys_names@entry=0x0,
parsing_failures=0x0,
parsing_failures@entry=0x7fffffe7b0)
at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1284
sys_names@entry=0x7ffffff880)
at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1355
tracing_dir=0x6500006c6f6f62 <error: Cannot access memory at
address 0x6500006c6f6f62>)
at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1377
Signed-off-by: Tw <tw19881113@gmail.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fix double free issue in event_read_print_args
@ 2024-06-28 1:51 Totoro W
2024-06-28 15:34 ` Steven Rostedt
0 siblings, 1 reply; 4+ messages in thread
From: Totoro W @ 2024-06-28 1:51 UTC (permalink / raw)
To: Totoro W; +Cc: linux-trace-devel
Oops, missing the patch part, here it is:
diff --git a/src/event-parse.c b/src/event-parse.c
index 9f0522c..1f51ee9 100644
--- a/src/event-parse.c
+++ b/src/event-parse.c
@@ -2375,8 +2375,6 @@ process_op(struct tep_event *event, struct
tep_print_arg *arg, char **tok)
/* it will set arg->op.right */
type = process_cond(event, arg, tok);
- if (type == TEP_EVENT_ERROR)
- free(token);
} else if (strcmp(token, ">>") == 0 ||
strcmp(token, "<<") == 0 ||
@@ -3787,7 +3785,7 @@ static int event_read_print_args(struct
tep_event *event, struct tep_print_arg *
{
enum tep_event_type type = TEP_EVENT_ERROR;
struct tep_print_arg *arg;
- char *token;
+ char *token = NULL;
int args = 0;
do {
@@ -3817,6 +3815,7 @@ static int event_read_print_args(struct
tep_event *event, struct tep_print_arg *
if (type == TEP_EVENT_OP) {
type = process_op(event, arg, &token);
free_token(token);
+ token = NULL;
if (consolidate_op_arg(arg) < 0)
type = TEP_EVENT_ERROR;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] fix double free issue in event_read_print_args
2024-06-28 1:51 [PATCH] fix double free issue in event_read_print_args Totoro W
@ 2024-06-28 15:34 ` Steven Rostedt
0 siblings, 0 replies; 4+ messages in thread
From: Steven Rostedt @ 2024-06-28 15:34 UTC (permalink / raw)
To: Totoro W; +Cc: linux-trace-devel
On Fri, 28 Jun 2024 09:51:10 +0800
Totoro W <tw19881113@gmail.com> wrote:
> Oops, missing the patch part, here it is:
Could you send a v2 with all the contents.
Thanks,
-- Steve
>
> diff --git a/src/event-parse.c b/src/event-parse.c
> index 9f0522c..1f51ee9 100644
> --- a/src/event-parse.c
> +++ b/src/event-parse.c
> @@ -2375,8 +2375,6 @@ process_op(struct tep_event *event, struct
> tep_print_arg *arg, char **tok)
>
> /* it will set arg->op.right */
> type = process_cond(event, arg, tok);
> - if (type == TEP_EVENT_ERROR)
> - free(token);
>
> } else if (strcmp(token, ">>") == 0 ||
> strcmp(token, "<<") == 0 ||
> @@ -3787,7 +3785,7 @@ static int event_read_print_args(struct
> tep_event *event, struct tep_print_arg *
> {
> enum tep_event_type type = TEP_EVENT_ERROR;
> struct tep_print_arg *arg;
> - char *token;
> + char *token = NULL;
> int args = 0;
>
> do {
> @@ -3817,6 +3815,7 @@ static int event_read_print_args(struct
> tep_event *event, struct tep_print_arg *
> if (type == TEP_EVENT_OP) {
> type = process_op(event, arg, &token);
> free_token(token);
> + token = NULL;
>
> if (consolidate_op_arg(arg) < 0)
> type = TEP_EVENT_ERROR;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fix double free issue in event_read_print_args
2024-06-27 6:51 Totoro W
@ 2024-06-28 15:35 ` Steven Rostedt
0 siblings, 0 replies; 4+ messages in thread
From: Steven Rostedt @ 2024-06-28 15:35 UTC (permalink / raw)
To: Totoro W; +Cc: linux-trace-devel
On Thu, 27 Jun 2024 14:51:42 +0800
Totoro W <tw19881113@gmail.com> wrote:
> commit cb227dfc63346a23fd019f2146b4f9f4f5a58b6a (HEAD -> fix_double_free)
> Author: Tw <tw19881113@gmail.com>
> Date: Thu Jun 27 14:40:09 2024 +0800
>
> Fix double free issue in event_read_print_args
>
> The corner case is that when we encounter a invalid right argument
> of a condition operation.
> Currently, we free token immediately, but it will also be freed
> when free `arg->op.op`.
>
> BTW, the crash calltrace as follows:
>
> Program received signal SIGSEGV, Segmentation fault.
> get_meta (p=<optimized out>) at
> /home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/meta.h:141
> 141 /home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/meta.h:
> No such file or directory.
> (gdb) bt
> at /home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/meta.h:141
> at /home/tw/code/zig/build/stage3/lib/zig/libc/musl/src/malloc/mallocng/free.c:105
> at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:1128
> list@entry=0x7ff7b18768)
> at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:1417
> at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:3895
> sys=<optimized out>)
> at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:7824
> size=<optimized out>, sys=sys@entry=0x7ff7ff51c0 "kvm")
> at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:7882
> buf=0x7ff7b0c610 "kvm_sys_access", size=549616874800,
> sys=0x7fffffe0b2 "me", sys@entry=0x7ff7ff51c0 "kvm")
> at /tmp/.cache/zig/p/12207a2e4477bf4414e7df3eb2172c698ab916695a0d3eefbf16f65b0c969dd81184/src/event-parse.c:7945
> tracing_dir=tracing_dir@entry=0x7ff7ffc660
> "/sys/kernel/tracing", system=system@entry=0x7ff7ff51c0 "kvm",
> check=false)
> at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1062
> system=0x7ff7ff51c0 "kvm")
> at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1084
> tep=tep@entry=0x7ff7ffc830, sys_names=sys_names@entry=0x0,
> parsing_failures=0x0,
> parsing_failures@entry=0x7fffffe7b0)
> at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1284
> sys_names@entry=0x7ffffff880)
> at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1355
> tracing_dir=0x6500006c6f6f62 <error: Cannot access memory at
> address 0x6500006c6f6f62>)
> at /tmp/.cache/zig/p/1220c1c006cbf05434d240b65f343c84f3d7f837fbef31f2cade733ec911cc3ed76b/src/tracefs-events.c:1377
>
> Signed-off-by: Tw <tw19881113@gmail.com>
It's best to use git sendmail, for sending patches, as it will send them properly.
-- Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-28 15:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-28 1:51 [PATCH] fix double free issue in event_read_print_args Totoro W
2024-06-28 15:34 ` Steven Rostedt
-- strict thread matches above, loose matches on Subject: below --
2024-06-27 6:51 Totoro W
2024-06-28 15:35 ` Steven Rostedt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).