| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220423001311.31e2dff59708ddd3043e55af@kernel.org>
Date: Sat, 23 Apr 2022 00:13:11 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: Keita Suzuki <keitasuzuki.park@...ab.ics.keio.ac.jp>
Cc: mhiramat@...nel.org, Steven Rostedt <rostedt@...dmis.org>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
Tom Zanussi <zanussi@...nel.org>,
Tom Zanussi <tom.zanussi@...ux.intel.com>
Subject: Re: [PATCH] tracing: Fix potential double free in create_var_ref()
Hi Keita,
On Fri, 22 Apr 2022 06:00:25 +0000
Keita Suzuki <keitasuzuki.park@...ab.ics.keio.ac.jp> wrote:
> In create_var_ref(), init_var_ref() is called to initialize the fields
> of variable ref_field, which is allocated in the previous function call
> to create_hist_field(). Function init_var_ref() allocates the
> corresponding fields such as ref_field->system, but frees these fields
> when the function encounters an error. The caller later calls
> destroy_hist_field() to conduct error handling, which frees the fields
> and the variable itself. This results in double free of the fields which
> are already freed in the previous function.
>
> Fix this by storing NULL to the corresponding fields when they are freed
> in init_var_ref().
>
Good catch! this looks good to me.
Reviewed-by: Masami Hiramatsu <mhiramat@...nel.org>
BTW, could you Cc the original code authoer and if you fix a bug and
add Fixes: tag? That will help the original author can check the bug and
help stable kernel maintainers to pick the patch. :)
To find the original commit, you can use the 'git blame'.
$ git blame kernel/trace/trace_events_hist.c -L 2093,2100
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2093) return err;
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2094) free:
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2095) kfree(ref_field->system);
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2096) kfree(ref_field->event_name);
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2097) kfree(ref_field->name);
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2098)
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2099) goto out;
067fe038e70f6 (Tom Zanussi 2018-01-15 20:51:56 -0600 2100) }
Then, git show will tell you the original author.
$ git show 067fe038e70f6
And get the format of the commit for Fixes tag.
$ git --no-pager show -s --abbrev-commit --abbrev=12 --pretty=format:"%h (\"%s\")%n" 067fe038e70f6
067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Then you can add lines like:
Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Cc: stable@...r.kernel.org
Thank you,
> Signed-off-by: Keita Suzuki <keitasuzuki.park@...ab.ics.keio.ac.jp>
> ---
> kernel/trace/trace_events_hist.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
> index 44db5ba9cabb..a0e41906d9ce 100644
> --- a/kernel/trace/trace_events_hist.c
> +++ b/kernel/trace/trace_events_hist.c
> @@ -2093,8 +2093,11 @@ static int init_var_ref(struct hist_field *ref_field,
> return err;
> free:
> kfree(ref_field->system);
> + ref_field->system = NULL;
> kfree(ref_field->event_name);
> + ref_field->event_name = NULL;
> kfree(ref_field->name);
> + ref_field->name = NULL;
>
> goto out;
> }
> --
> 2.25.1
>
--
Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists