Skip to content

Commit 509e36e

Browse files
caringicaringi
committed
Merge: CVE-2022-49648: tracing/histograms: Fix memory leak problem
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6444 JIRA: https://issues.redhat.com/browse/RHEL-81008 CVE: CVE-2022-49648 ``` commit 7edc394 Author: Zheng Yejian <[email protected]> Date: Mon Jul 11 09:47:31 2022 +0800 tracing/histograms: Fix memory leak problem This reverts commit 46bbe5c. As commit 46bbe5c ("tracing: fix double free") said, the "double free" problem reported by clang static analyzer is: > In parse_var_defs() if there is a problem allocating > var_defs.expr, the earlier var_defs.name is freed. > This free is duplicated by free_var_defs() which frees > the rest of the list. However, if there is a problem allocating N-th var_defs.expr: + in parse_var_defs(), the freed 'earlier var_defs.name' is actually the N-th var_defs.name; + then in free_var_defs(), the names from 0th to (N-1)-th are freed; IF ALLOCATING PROBLEM HAPPENED HERE!!! -+ \ | 0th 1th (N-1)-th N-th V +-------------+-------------+-----+-------------+----------- var_defs: | name | expr | name | expr | ... | name | expr | name | /// +-------------+-------------+-----+-------------+----------- These two frees don't act on same name, so there was no "double free" problem before. Conversely, after that commit, we get a "memory leak" problem because the above "N-th var_defs.name" is not freed. If enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th var_defs.expr allocated, then execute on shell like: $ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \ /sys/kernel/debug/tracing/events/kmem/kmalloc/trigger Then kmemleak reports: unreferenced object 0xffff8fb100ef3518 (size 8): comm "bash", pid 196, jiffies 4295681690 (age 28.538s) hex dump (first 8 bytes): 76 31 00 00 b1 8f ff ff v1...... backtrace: [<0000000038fe4895>] kstrdup+0x2d/0x60 [<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0 [<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110 [<0000000066737a4c>] event_trigger_write+0x75/0xd0 [<000000007341e40c>] vfs_write+0xbb/0x2a0 [<0000000087fde4c2>] ksys_write+0x59/0xd0 [<00000000581e9cdf>] do_syscall_64+0x3a/0x80 [<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Link: https://lkml.kernel.org/r/[email protected] Cc: [email protected] Fixes: 46bbe5c ("tracing: fix double free") Reported-by: Hulk Robot <[email protected]> Suggested-by: Steven Rostedt <[email protected]> Reviewed-by: Tom Zanussi <[email protected]> Signed-off-by: Zheng Yejian <[email protected]> Signed-off-by: Steven Rostedt (Google) <[email protected]>``` Signed-off-by: CKI Backport Bot <[email protected]> --- <small>Created 2025-02-26 22:20 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small> Approved-by: Waiman Long <[email protected]> Approved-by: Jerome Marchand <[email protected]> Approved-by: CKI KWF Bot <[email protected]> Merged-by: Augusto Caringi <[email protected]>
2 parents 358f817 + b70dedd commit 509e36e

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

kernel/trace/trace_events_hist.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4236,6 +4236,8 @@ static int parse_var_defs(struct hist_trigger_data *hist_data)
42364236

42374237
s = kstrdup(field_str, GFP_KERNEL);
42384238
if (!s) {
4239+
kfree(hist_data->attrs->var_defs.name[n_vars]);
4240+
hist_data->attrs->var_defs.name[n_vars] = NULL;
42394241
ret = -ENOMEM;
42404242
goto free;
42414243
}

0 commit comments

Comments
 (0)