Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5574543ybi; Tue, 28 May 2019 15:37:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqwGVf51OE2Pw9VDs4eLGk7LYaGR6/u30PEHV4vKQJopnXc87x3J3Ex4tBrTVPowiyBsFkCk X-Received: by 2002:a63:2260:: with SMTP id t32mr97913235pgm.222.1559083045184; Tue, 28 May 2019 15:37:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559083045; cv=none; d=google.com; s=arc-20160816; b=tjso/ml1QWO9X9KY1/2xRL0f4DavXpT0Hd6713smpcWADM+tYDjpv+chZPcNfpm4Mj az1Feh13jEk9gXHRRHiNyiT8tBpvhX+53qiieq+iYoqekjaSRv/c8wcYDsopsKzYrlK6 gOujMIJLOrjzspSXauqYvt+uknoM5/IY0yqEiEGhP9mUtjDZsB1HHbOPkh8HDBVDDSur LmFv37hc+jZ700nwp/KY9lMVhDlH8lFYqC+jxzLcNW0ZPibf30QYTIalSn+v2HOa9V5v k2OuA/0RfeI3igHNF2Gso9hNVosS9a5d81f7pRPKciYTqkng8hZ2Bu/ODCMNL0EkIne2 VdIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=8kxWpEri4cPl5Nx8Jp1OV4x7qafFZ3dkfqIgcZ/pf18=; b=bs1/uCJ/27LNUFyP/dKs4HLLSbeujYn2QUSjkyh+wJESVe/CKyuxyywnJeounsJMEb tJbg08B3sfkqxA8xUZ9Jf/CoUjTsTqVpA+w2jbfgDX0JYEZ4lwlqTjCscpUBoW4tTHJp 0p5XGjk01jjf6VDDmNphVtUtut6DJGYnnUvxsLzShGBZ/TIMExJ3nNTxoiR73aR9oDzB 3sJFsqXAiVwnHOH7On6Ql+IJBoogOQwsmm4b/5KzndIf6Yqx7+QaefKRN/mKbEDC+a/p bCQCAU/Bu8qFSxpxKNg2VU04QvqPi5hfYRl6bmW8udsn/b2+XCDZKLgk9QdJviv3PIW+ XvXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k23si22133200pgm.556.2019.05.28.15.37.09; Tue, 28 May 2019 15:37:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727423AbfE1UbH convert rfc822-to-8bit (ORCPT + 99 others); Tue, 28 May 2019 16:31:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:36012 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727268AbfE1UbH (ORCPT ); Tue, 28 May 2019 16:31:07 -0400 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D593320B7C; Tue, 28 May 2019 20:31:05 +0000 (UTC) Date: Tue, 28 May 2019 16:31:04 -0400 From: Steven Rostedt To: Tomas Bortoli Cc: linux-kernel@vger.kernel.org, mingo@redhat.com Subject: Re: [PATCH] trace: Avoid memory leak in predicate_parse() Message-ID: <20190528163104.67763762@gandalf.local.home> In-Reply-To: <20190528154338.29976-1-tomasbortoli@gmail.com> References: <20190528104400.388e4c3f@gandalf.local.home> <20190528154338.29976-1-tomasbortoli@gmail.com> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 28 May 2019 17:43:38 +0200 Tomas Bortoli wrote: > @@ -578,6 +578,8 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, > out_free: > kfree(op_stack); > kfree(inverts); > + for (i = 0; prog_stack[i].pred; i++) > + kfree(prog_stack[i].pred); > kfree(prog_stack); > return ERR_PTR(ret); > } I should have caught this, but thanks to the zero day bot, it found it first: kernel/trace/trace_events_filter.c:582:27-31: ERROR: prog_stack is NULL but dereferenced. I changed the patch with the following: From dfb4a6f2191a80c8b790117d0ff592fd712d3296 Mon Sep 17 00:00:00 2001 From: Tomas Bortoli Date: Tue, 28 May 2019 17:43:38 +0200 Subject: [PATCH] tracing: Avoid memory leak in predicate_parse() In case of errors, predicate_parse() goes to the out_free label to free memory and to return an error code. However, predicate_parse() does not free the predicates of the temporary prog_stack array, thence leaking them. Link: http://lkml.kernel.org/r/20190528154338.29976-1-tomasbortoli@gmail.com Cc: stable@vger.kernel.org Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") Reported-by: syzbot+6b8e0fb820e570c59e19@syzkaller.appspotmail.com Signed-off-by: Tomas Bortoli [ Added protection around freeing prog_stack[i].pred ] Signed-off-by: Steven Rostedt (VMware) --- kernel/trace/trace_events_filter.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index d3e59312ef40..5079d1db3754 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -428,7 +428,7 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, op_stack = kmalloc_array(nr_parens, sizeof(*op_stack), GFP_KERNEL); if (!op_stack) return ERR_PTR(-ENOMEM); - prog_stack = kmalloc_array(nr_preds, sizeof(*prog_stack), GFP_KERNEL); + prog_stack = kcalloc(nr_preds, sizeof(*prog_stack), GFP_KERNEL); if (!prog_stack) { parse_error(pe, -ENOMEM, 0); goto out_free; @@ -579,7 +579,11 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, out_free: kfree(op_stack); kfree(inverts); - kfree(prog_stack); + if (prog_stack) { + for (i = 0; prog_stack[i].pred; i++) + kfree(prog_stack[i].pred); + kfree(prog_stack); + } return ERR_PTR(ret); } -- 2.20.1