tracing/histogram: Fix UAF in destroy_hist_field() - linux

diff options

author	Kalesh Singh <kaleshsingh@google.com>	2021-11-18 02:15:42 +0100
committer	Steven Rostedt (VMware) <rostedt@goodmis.org>	2021-11-18 19:53:43 +0100
commit	f86b0aaad741c45aba5a84a27277dd56a96808ba (patch)
tree	0c3651ee0b42ed100e5babe9e6d43a3dc7b38247 /kernel/trace/trace.c
parent	Merge tag 'trace-v5.16-5' of git://git.kernel.org/pub/scm/linux/kernel/git/ro... (diff)
download	linux-f86b0aaad741c45aba5a84a27277dd56a96808ba.tar.xz linux-f86b0aaad741c45aba5a84a27277dd56a96808ba.zip

tracing/histogram: Fix UAF in destroy_hist_field()

Calling destroy_hist_field() on an expression will recursively free any operands associated with the expression. If during expression parsing the operands of the expression are already set when an error is encountered, there is no need to explicity free the operands. Doing so will result in destroy_hist_field() being called twice for the operands and lead to a use-after-free (UAF) error. If the operands are associated with the expression, only call destroy_hist_field() on the expression since the operands will be recursively freed. Link: https://lore.kernel.org/all/CAHk-=wgcrEbFgkw9720H3tW-AhHOoEKhYwZinYJw4FpzSaJ6_Q@mail.gmail.com/ Link: https://lkml.kernel.org/r/20211118011542.1420131-1-kaleshsingh@google.com Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Kalesh Singh <kaleshsingh@google.com> Fixes: 8b5d46fd7a38 ("tracing/histogram: Optimize division by constants") Reported-by: kernel test robot <oliver.sang@intel.com> Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>

Diffstat (limited to '')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: