forked from pool/libbpf
0aa7d66395
- Fix out-of-bound heap write (boo#1194248 boo#1194249 CVE-2021-45940 CVE-2021-45941) + libbpf-Use-elf_getshdrnum-instead-of-e_shnum.patch - Fix use-after-free in btf_dump_name_dups (boo#1204391 CVE-2022-3534) + libbpf-Fix-use-after-free-in-btf_dump_name_dups.patch - Fix memory leak in parse_usdt_arg() (boo#1204393 CVE-2022-3533) + libbpf-Fix-memory-leak-in-parse_usdt_arg.patch - Fix null pointer dereference in find_prog_by_sec_insn() (boo#1204502 CVE-2022-3606) + libbpf-Fix-null-pointer-dereference-in-find_prog_by_.patch OBS-URL: https://build.opensuse.org/request/show/1034422 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libbpf?expand=0&rev=25
68 lines
2.4 KiB
Diff
68 lines
2.4 KiB
Diff
From 881a10980b7ded995da5d9cc1919992c36c9d2be Mon Sep 17 00:00:00 2001
|
|
From: Xu Kuohai <xukuohai@huawei.com>
|
|
Date: Tue, 11 Oct 2022 08:01:04 -0400
|
|
Subject: [PATCH 2/2] libbpf: Fix memory leak in parse_usdt_arg()
|
|
|
|
In the arm64 version of parse_usdt_arg(), when sscanf returns 2, reg_name
|
|
is allocated but not freed. Fix it.
|
|
|
|
Fixes: 0f8619929c57 ("libbpf: Usdt aarch64 arg parsing support")
|
|
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
|
|
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
|
|
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
|
|
Link: https://lore.kernel.org/bpf/20221011120108.782373-3-xukuohai@huaweicloud.com
|
|
---
|
|
src/usdt.c | 11 ++++-------
|
|
1 file changed, 4 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/usdt.c b/src/usdt.c
|
|
index e83b497..49f3c3b 100644
|
|
--- a/src/usdt.c
|
|
+++ b/src/usdt.c
|
|
@@ -1348,25 +1348,23 @@ static int calc_pt_regs_off(const char *reg_name)
|
|
|
|
static int parse_usdt_arg(const char *arg_str, int arg_num, struct usdt_arg_spec *arg)
|
|
{
|
|
- char *reg_name = NULL;
|
|
+ char reg_name[16];
|
|
int arg_sz, len, reg_off;
|
|
long off;
|
|
|
|
- if (sscanf(arg_str, " %d @ \[ %m[a-z0-9], %ld ] %n", &arg_sz, ®_name, &off, &len) == 3) {
|
|
+ if (sscanf(arg_str, " %d @ \[ %15[a-z0-9], %ld ] %n", &arg_sz, reg_name, &off, &len) == 3) {
|
|
/* Memory dereference case, e.g., -4@[sp, 96] */
|
|
arg->arg_type = USDT_ARG_REG_DEREF;
|
|
arg->val_off = off;
|
|
reg_off = calc_pt_regs_off(reg_name);
|
|
- free(reg_name);
|
|
if (reg_off < 0)
|
|
return reg_off;
|
|
arg->reg_off = reg_off;
|
|
- } else if (sscanf(arg_str, " %d @ \[ %m[a-z0-9] ] %n", &arg_sz, ®_name, &len) == 2) {
|
|
+ } else if (sscanf(arg_str, " %d @ \[ %15[a-z0-9] ] %n", &arg_sz, reg_name, &len) == 2) {
|
|
/* Memory dereference case, e.g., -4@[sp] */
|
|
arg->arg_type = USDT_ARG_REG_DEREF;
|
|
arg->val_off = 0;
|
|
reg_off = calc_pt_regs_off(reg_name);
|
|
- free(reg_name);
|
|
if (reg_off < 0)
|
|
return reg_off;
|
|
arg->reg_off = reg_off;
|
|
@@ -1375,12 +1373,11 @@ static int parse_usdt_arg(const char *arg_str, int arg_num, struct usdt_arg_spec
|
|
arg->arg_type = USDT_ARG_CONST;
|
|
arg->val_off = off;
|
|
arg->reg_off = 0;
|
|
- } else if (sscanf(arg_str, " %d @ %m[a-z0-9] %n", &arg_sz, ®_name, &len) == 2) {
|
|
+ } else if (sscanf(arg_str, " %d @ %15[a-z0-9] %n", &arg_sz, reg_name, &len) == 2) {
|
|
/* Register read case, e.g., -8@x4 */
|
|
arg->arg_type = USDT_ARG_REG;
|
|
arg->val_off = 0;
|
|
reg_off = calc_pt_regs_off(reg_name);
|
|
- free(reg_name);
|
|
if (reg_off < 0)
|
|
return reg_off;
|
|
arg->reg_off = reg_off;
|
|
--
|
|
2.38.0
|
|
|