| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221017085937.8583-1-shangxiaojing@huawei.com>
Date: Mon, 17 Oct 2022 16:59:37 +0800
From: Shang XiaoJing <shangxiaojing@...wei.com>
To: <rostedt@...dmis.org>, <acme@...hat.com>,
<linux-kernel@...r.kernel.org>
CC: <namhyung@...nel.org>, <shangxiaojing@...wei.com>
Subject: [PATCH] tools lib traceevent: Fix double free in event_read_fields()
There is a double free in event_read_fields(). After calling free_token()
to free the token, if append() failed, then goto fail, which will call
free_token() again. Triggered by compiling with perf and run "perf sched
record". Fix the double free by goto fail_expect instead of fail while
append() failed, which won't call redundant free_token().
BUG: double free
free(): double free detected in tcache 2
Aborted
Fixes: d286447f23cd ("tools lib traceevent: Handle realloc() failure path")
Signed-off-by: Shang XiaoJing <shangxiaojing@...wei.com>
---
tools/lib/traceevent/event-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
index 8e24c4c78c7f..e0a5a22fe702 100644
--- a/tools/lib/traceevent/event-parse.c
+++ b/tools/lib/traceevent/event-parse.c
@@ -1594,7 +1594,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field **
ret = append(&brackets, "", "]");
if (ret < 0) {
free(brackets);
- goto fail;
+ goto fail_expect;
}
/* add brackets to type */
--
2.17.1
Powered by blists - more mailing lists