2021-11-17 07:34:22

by Kalesh Singh

[permalink] [raw]
Subject: [PATCH v2] tracing/histogram: Fix UAF in destroy_hist_field()

Calling destroy_hist_field() on an expression will recursively free
any operands associated with the expression. If during expression
parsing the operands of the expression are already set when an error
is encountered, there is no need to explicity free the operands. Doing
so will result in destroy_hist_field() being called twice for the
operands and lead to a use-after-free (UAF) error.

Fix this by only calling destroy_hist_field() for the operands if they
are not associated with the expression hist_field.

Signed-off-by: Kalesh Singh <[email protected]>
Fixes: 8b5d46fd7a38 ("tracing/histogram: Optimize division by constants")
Reported-by: kernel test robot <[email protected]>
---

Changes in v2:
- Handle all freeing logic in one place so we don't need to worry
about where to free what, per Steve

kernel/trace/trace_events_hist.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 5ea2c9ec54a6..b53ee8d566f6 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -2717,8 +2717,10 @@ static struct hist_field *parse_expr(struct hist_trigger_data *hist_data,

return expr;
free:
- destroy_hist_field(operand1, 0);
- destroy_hist_field(operand2, 0);
+ if (!expr || expr->operands[0] != operand1)
+ destroy_hist_field(operand1, 0);
+ if (!expr || expr->operands[1] != operand2)
+ destroy_hist_field(operand2, 0);
destroy_hist_field(expr, 0);

return ERR_PTR(ret);

base-commit: 8ab774587903771821b59471cc723bba6d893942
--
2.34.0.rc1.387.gb447b232ab-goog