| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YwjSP83b3u2Hp5Le@kernel.org>
Date: Fri, 26 Aug 2022 11:01:35 -0300
From: Arnaldo Carvalho de Melo <acme@...nel.org>
To: Ian Rogers <irogers@...gle.com>
Cc: Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...nel.org>,
Namhyung Kim <namhyung@...nel.org>,
linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org,
Stephane Eranian <eranian@...gle.com>
Subject: Re: [PATCH v2] perf sched: Fix memory leaks in __cmd_record
Em Wed, Aug 24, 2022 at 07:57:33AM -0700, Ian Rogers escreveu:
> An array of strings is passed to cmd_record but not freed. As
> cmd_record modifies the array, add another array as a copy that can be
> mutated allowing the original array contents to all be freed.
>
> Detected with -fsanitize=address.
Thanks, applied.
- Arnaldo
> Signed-off-by: Ian Rogers <irogers@...gle.com>
> ---
> tools/perf/builtin-sched.c | 24 +++++++++++++++++++-----
> 1 file changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
> index 2f6cd1b8b662..a5cf243c337f 100644
> --- a/tools/perf/builtin-sched.c
> +++ b/tools/perf/builtin-sched.c
> @@ -3355,7 +3355,8 @@ static bool schedstat_events_exposed(void)
> static int __cmd_record(int argc, const char **argv)
> {
> unsigned int rec_argc, i, j;
> - const char **rec_argv;
> + char **rec_argv;
> + const char **rec_argv_copy;
> const char * const record_args[] = {
> "record",
> "-a",
> @@ -3384,6 +3385,7 @@ static int __cmd_record(int argc, const char **argv)
> ARRAY_SIZE(schedstat_args) : 0;
>
> struct tep_event *waking_event;
> + int ret;
>
> /*
> * +2 for either "-e", "sched:sched_wakeup" or
> @@ -3391,14 +3393,18 @@ static int __cmd_record(int argc, const char **argv)
> */
> rec_argc = ARRAY_SIZE(record_args) + 2 + schedstat_argc + argc - 1;
> rec_argv = calloc(rec_argc + 1, sizeof(char *));
> -
> if (rec_argv == NULL)
> return -ENOMEM;
> + rec_argv_copy = calloc(rec_argc + 1, sizeof(char *));
> + if (rec_argv_copy == NULL) {
> + free(rec_argv);
> + return -ENOMEM;
> + }
>
> for (i = 0; i < ARRAY_SIZE(record_args); i++)
> rec_argv[i] = strdup(record_args[i]);
>
> - rec_argv[i++] = "-e";
> + rec_argv[i++] = strdup("-e");
> waking_event = trace_event__tp_format("sched", "sched_waking");
> if (!IS_ERR(waking_event))
> rec_argv[i++] = strdup("sched:sched_waking");
> @@ -3409,11 +3415,19 @@ static int __cmd_record(int argc, const char **argv)
> rec_argv[i++] = strdup(schedstat_args[j]);
>
> for (j = 1; j < (unsigned int)argc; j++, i++)
> - rec_argv[i] = argv[j];
> + rec_argv[i] = strdup(argv[j]);
>
> BUG_ON(i != rec_argc);
>
> - return cmd_record(i, rec_argv);
> + memcpy(rec_argv_copy, rec_argv, sizeof(char *) * rec_argc);
> + ret = cmd_record(rec_argc, rec_argv_copy);
> +
> + for (i = 0; i < rec_argc; i++)
> + free(rec_argv[i]);
> + free(rec_argv);
> + free(rec_argv_copy);
> +
> + return ret;
> }
>
> int cmd_sched(int argc, const char **argv)
> --
> 2.37.2.609.g9ff673ca1a-goog
--
- Arnaldo
Powered by blists - more mailing lists