lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251117184409.42831-14-wander@redhat.com>
Date: Mon, 17 Nov 2025 15:41:20 -0300
From: Wander Lairson Costa <wander@...hat.com>
To: Steven Rostedt <rostedt@...dmis.org>,
	Wander Lairson Costa <wander@...hat.com>,
	Tomas Glozar <tglozar@...hat.com>,
	Ivan Pravdin <ipravdin.official@...il.com>,
	Crystal Wood <crwood@...hat.com>,
	John Kacur <jkacur@...hat.com>,
	Costa Shulyupin <costa.shul@...hat.com>,
	Tiezhu Yang <yangtiezhu@...ngson.cn>,
	linux-trace-kernel@...r.kernel.org (open list:Real-time Linux Analysis (RTLA) tools),
	linux-kernel@...r.kernel.org (open list),
	bpf@...r.kernel.org (open list:BPF [MISC]:Keyword:(?:\b|_)bpf(?:\b|_))
Subject: [rtla 13/13] rtla: Fix inconsistent state in actions_add_* functions

The actions_add_trace_output() and actions_add_shell() functions
leave the action list in an inconsistent state when strdup() fails.
The actions_new() function increments self->len before returning a
pointer to the new action slot, but if the subsequent strdup()
allocation fails, the function returns an error without decrementing
self->len back.

This leaves an action object in an invalid state within the list.
When actions_destroy() or other functions iterate over the list
using for_each_action(), they will access this invalid entry with
uninitialized fields, potentially leading to undefined behavior.

Fix this by decrementing self->len when strdup() fails, effectively
returning the allocated slot back to the pool and maintaining list
consistency even when memory allocation fails.

Signed-off-by: Wander Lairson Costa <wander@...hat.com>
---
 tools/tracing/rtla/src/actions.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/tools/tracing/rtla/src/actions.c b/tools/tracing/rtla/src/actions.c
index 2d153d5efdea2..4aaaedadcc42a 100644
--- a/tools/tracing/rtla/src/actions.c
+++ b/tools/tracing/rtla/src/actions.c
@@ -76,11 +76,13 @@ actions_add_trace_output(struct actions *self, const char *trace_output)
 	if (!action)
 		return -1;
 
-	self->present[ACTION_TRACE_OUTPUT] = true;
 	action->type = ACTION_TRACE_OUTPUT;
 	action->trace_output = strdup(trace_output);
-	if (!action->trace_output)
+	if (!action->trace_output) {
+		self->len--; // return the action object to the pool
 		return -1;
+	}
+	self->present[ACTION_TRACE_OUTPUT] = true;
 
 	return 0;
 }
@@ -115,11 +117,13 @@ actions_add_shell(struct actions *self, const char *command)
 	if (!action)
 		return -1;
 
-	self->present[ACTION_SHELL] = true;
 	action->type = ACTION_SHELL;
 	action->command = strdup(command);
-	if (!action->command)
+	if (!action->command) {
+		self->len--;
 		return -1;
+	}
+	self->present[ACTION_SHELL] = true;
 
 	return 0;
 }
-- 
2.51.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ