lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAM9d7chFv38q+a9m_OE-dP1aSUpvd35tM1V7DA_t756O6hrTUA@mail.gmail.com>
Date: Wed, 1 May 2024 12:46:38 -0700
From: Namhyung Kim <namhyung@...nel.org>
To: Ian Rogers <irogers@...gle.com>
Cc: zhaimingbing <zhaimingbing@...s.chinamobile.com>, 
	Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>, 
	Arnaldo Carvalho de Melo <acme@...nel.org>, Mark Rutland <mark.rutland@....com>, 
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Jiri Olsa <jolsa@...nel.org>, 
	Adrian Hunter <adrian.hunter@...el.com>, Kan Liang <kan.liang@...ux.intel.com>, 
	linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] perf lock: More strdup argument freeing

On Tue, Apr 30, 2024 at 11:42 AM Ian Rogers <irogers@...gle.com> wrote:
>
> Leak sanitizer complains about the strdup-ed arguments not being
> freed. rec_argv is reordered and duplicates inserted, meaning making
> all its contents strdup-ed and freeing them all leads to double frees
> or leaks. Add an extra array to track strup-ed arguments and free
> them. This makes address sanitier running `perf test` "kernel lock
> contention analysis test" memory leak free.
>
> Signed-off-by: Ian Rogers <irogers@...gle.com>
> ---
>  tools/perf/builtin-lock.c | 44 +++++++++++++++++++++++----------------
>  1 file changed, 26 insertions(+), 18 deletions(-)
>
> diff --git a/tools/perf/builtin-lock.c b/tools/perf/builtin-lock.c
> index 230461280e45..26c059397cdf 100644
> --- a/tools/perf/builtin-lock.c
> +++ b/tools/perf/builtin-lock.c
> @@ -2230,10 +2230,11 @@ static int __cmd_record(int argc, const char **argv)
>         const char *callgraph_args[] = {
>                 "--call-graph", "fp," __stringify(CONTENTION_STACK_DEPTH),
>         };
> -       unsigned int rec_argc, i, j, ret;
> +       unsigned int rec_argc, i, j, dups = 0, ret;
>         unsigned int nr_tracepoints;
>         unsigned int nr_callgraph_args = 0;
>         const char **rec_argv;
> +       char **to_free;
>         bool has_lock_stat = true;
>
>         for (i = 0; i < ARRAY_SIZE(lock_tracepoints); i++) {
> @@ -2270,28 +2271,25 @@ static int __cmd_record(int argc, const char **argv)
>         /* factor of 2 is for -e in front of each tracepoint */
>         rec_argc += 2 * nr_tracepoints;
>
> -       rec_argv = calloc(rec_argc + 1, sizeof(char *));
> +       rec_argv = calloc(rec_argc + 1, sizeof(*rec_argv));
>         if (!rec_argv)
>                 return -ENOMEM;
>
> -       for (i = 0; i < ARRAY_SIZE(record_args); i++)
> -               rec_argv[i] = strdup(record_args[i]);
> -
> -       for (j = 0; j < nr_tracepoints; j++) {
> -               const char *ev_name;
> +       to_free = calloc(rec_argc, sizeof(*to_free));
> +       if (!to_free)
> +               return -ENOMEM;

Need to free rec_argv.  'goto out' would be fine.

>
> -               if (has_lock_stat)
> -                       ev_name = strdup(lock_tracepoints[j].name);
> -               else
> -                       ev_name = strdup(contention_tracepoints[j].name);
> -
> -               if (!ev_name) {
> -                       free(rec_argv);
> -                       return -ENOMEM;
> -               }
>
> +       for (i = 0; i < ARRAY_SIZE(record_args);) {
> +               to_free[dups] = strdup(record_args[i]);
> +               rec_argv[i++] = to_free[dups++];
> +       }
> +       for (j = 0; j < nr_tracepoints; j++) {
> +               to_free[dups] = strdup(has_lock_stat
> +                                      ? lock_tracepoints[j].name
> +                                      : contention_tracepoints[j].name);
>                 rec_argv[i++] = "-e";
> -               rec_argv[i++] = ev_name;
> +               rec_argv[i++] = to_free[dups++];

Now I'm curious why we copy the string in the first place.
Maybe not needed..?

Thanks,
Namhyung


>         }
>
>         for (j = 0; j < nr_callgraph_args; j++, i++)
> @@ -2302,7 +2300,17 @@ static int __cmd_record(int argc, const char **argv)
>
>         BUG_ON(i != rec_argc);
>
> -       ret = cmd_record(i, rec_argv);
> +       for (i = 0; i < dups; i++) {
> +               if (to_free[i] == NULL) {
> +                       ret = -ENOMEM;
> +                       goto out;
> +               }
> +       }
> +       ret = cmd_record(rec_argc, rec_argv);
> +out:
> +       for (i = 0; i < dups; i++)
> +               zfree(&to_free[i]);
> +       free(to_free);
>         free(rec_argv);
>         return ret;
>  }
> --
> 2.45.0.rc0.197.gbae5840b3b-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ