Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754228AbbGQQWc (ORCPT ); Fri, 17 Jul 2015 12:22:32 -0400 Received: from smtprelay0028.hostedemail.com ([216.40.44.28]:38776 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753551AbbGQQSD convert rfc822-to-8bit (ORCPT ); Fri, 17 Jul 2015 12:18:03 -0400 X-Session-Marker: 726F737465647440676F6F646D69732E6F7267 X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,rostedt@goodmis.org,:::::::::::::::::::,RULES_HIT:41:355:379:541:599:800:960:965:966:973:988:989:1260:1277:1311:1313:1314:1345:1359:1437:1513:1515:1516:1518:1521:1535:1543:1593:1594:1711:1730:1747:1777:1792:1801:2196:2199:2393:2553:2559:2562:2693:2895:3138:3139:3140:3141:3142:3354:3622:3865:3866:3867:3868:3870:3871:3872:4250:4321:4385:4390:4395:4470:4605:5007:6119:6261:7576:7875:7903:9545:10004:10400:10848:10967:11026:11232:11657:11658:11914:12043:12262:12291:12296:12438:12517:12519:12555:12679:12683:12740:13138:13231:13255:14096:14097:21080,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:none,Custom_rules:0:0:0 X-HE-Tag: bite87_801cf1f153e46 X-Filterd-Recvd-Size: 5236 Date: Fri, 17 Jul 2015 12:17:59 -0400 From: Steven Rostedt To: Wang Nan Cc: , , , , , , , , Subject: Re: [PATCH] tools lib traceevent: Fix double free corruption in error processing code Message-ID: <20150717121759.015998a8@gandalf.local.home> In-Reply-To: <1437119926-17022-1-git-send-email-wangnan0@huawei.com> References: <1437119926-17022-1-git-send-email-wangnan0@huawei.com> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.28; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4108 Lines: 105 On Fri, 17 Jul 2015 07:58:46 +0000 Wang Nan wrote: > When kernel introduces new function to 'format' file before traceevent > update correspondingly, a double-free corruption occures if the newly > intorduced function resides in following format: > > # cat /sys/kernel/debug/tracing/events/bpf/bpf_output_data/format > ... > print fmt: "%s", __print_hex(__get_dynamic_array(buf), __get_dynamic_array_len(buf)) > ... > > (where __get_dynamic_array_len is the new function) > > And: > # perf record -e bpf:bpf_output_data ls > Warning: [bpf:bpf_output_data] function __get_dynamic_array_len not defined > Warning: Error: expected type 5 but read 0 > *** Error in `/path/to/perf': double free or corruption (fasttop): 0x0000000001821210 *** > ======= Backtrace: ========= > /lib64/libc.so.6(+0x6eeef)[0x7f86a4cf6eef] > /lib64/libc.so.6(+0x78cae)[0x7f86a4d00cae] > /lib64/libc.so.6(+0x79987)[0x7f86a4d01987] > /path/to/perf[0x51b0e2] > /path/to/perf[0x51afc2] > /path/to/perf[0x51fe67] > /path/to/perf[0x5200a5] > /path/to/perf(__pevent_parse_format+0x185)[0x525bc9] > /path/to/perf[0x525d82] > /path/to/perf(pevent_parse_format+0x3b)[0x525e15] > /path/to/perf[0x4ceb61] > /path/to/perf(perf_evsel__newtp_idx+0x9f)[0x48cabf] > /path/to/perf(parse_events_add_tracepoint+0x25b)[0x49782b] > /path/to/perf(parse_events_parse+0x10a3)[0x4c8243] > /path/to/perf(parse_events+0x75)[0x498ce5] > /path/to/perf(parse_events_option+0x41)[0x498df1] > /path/to/perf[0x493e9b] > /path/to/perf(parse_options+0x215)[0x4957c5] > /path/to/perf(cmd_record+0x6a)[0x43c4ba] > /path/to/perf[0x47b2a3] > /path/to/perf(main+0x5f6)[0x42fed6] > /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f86a4ca9bd5] > /path/to/perf[0x430005] > ======= Memory map: ======== > 00400000-006b9000 r-xp 00000000 08:05 23596607 /path/to/perf > 008b9000-00903000 rw-p 002b9000 08:05 23596607 /path/to/perf > > This is caused by error processing code in process_hex() which frees > arg->hex.field but doesn't set it to NULL. When event_read_print_args() > freeing the hex arg, the dangling pointer will be free again and cause > the above error. process_int_array() has similar problem. > > This patch fixes the dangling pointer problem by not setting them until > everything is okay. I actually stumbled over this exact bug in trace-cmd but came up with a much simpler solution: -- Steve >From 1d44d0f3361b70724b63c8aab20992704557e9c0 Mon Sep 17 00:00:00 2001 From: "Steven Rostedt (Red Hat)" Date: Fri, 17 Jul 2015 12:07:23 -0400 Subject: [PATCH] tools lib traceevent: Set int_array fields to NULL if freeing from error Had a bug where on error of parsing __print_array() where the fields are freed after they were allocated, but since they were not set to NULL, the freeing of the arg also tried to free the already freed fields causing a double free. Fix process_hex() while at it. Signed-off-by: Steven Rostedt --- tools/lib/traceevent/event-parse.c | 3 +++ 1 file changed, 3 insertions(+) Index: linux-trace.git/tools/lib/traceevent/event-parse.c =================================================================== --- linux-trace.git.orig/tools/lib/traceevent/event-parse.c 2015-07-15 14:49:03.275290348 -0400 +++ linux-trace.git/tools/lib/traceevent/event-parse.c 2015-07-17 12:16:54.535359526 -0400 @@ -2559,6 +2559,7 @@ process_hex(struct event_format *event, free_field: free_arg(arg->hex.field); + arg->hex.field = NULL; out: *tok = NULL; return EVENT_ERROR; @@ -2583,8 +2584,10 @@ process_int_array(struct event_format *e free_size: free_arg(arg->int_array.count); + arg->int_array.count = NULL; free_field: free_arg(arg->int_array.field); + arg->int_array.field = NULL; out: *tok = NULL; return EVENT_ERROR; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/