diff options
author | Steven Rostedt (Google) <rostedt@goodmis.org> | 2023-03-24 16:09:22 -0400 |
---|---|---|
committer | Steven Rostedt (Google) <rostedt@goodmis.org> | 2023-03-27 17:56:03 -0400 |
commit | a4b1ba5f874078f3a54ede67edd56f2b26ae079b (patch) | |
tree | e1e9afb155dfc8e9b236f9180b58b18921fa0589 | |
parent | 4e51588b1f4d6617df7e39a38acc0d0daa3d8a3f (diff) | |
download | libtraceevent-a4b1ba5f874078f3a54ede67edd56f2b26ae079b.tar.gz |
libtraceevent: Fix double free in parsing sizeof()
Google's fuzz testing caught a double free in process_sizeof(). If "ok" is
set, it means that token contains the last part of sizeof() (should be the
')'). Otherwise, the token contains the last item in the parenthesis of
sizeof(), and the next token needs to be read.
The problem is, in this case, the token is read into the token holder
"tok" and not to token. That means the next "free_token()" will free the
token that was already freed and what was just read.
Note, the "ok" variable is a horrible name and needs to be changed, but
that's outside the scope of this update.
Link: https://lore.kernel.org/linux-trace-devel/20230324200924.287521-2-rostedt@goodmis.org
Fixes: 2d0573af4dfda ("libtraceevent: Be able to handle some sizeof() calls")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
-rw-r--r-- | src/event-parse.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/event-parse.c b/src/event-parse.c index e655087..2584b36 100644 --- a/src/event-parse.c +++ b/src/event-parse.c @@ -3591,8 +3591,9 @@ process_sizeof(struct tep_event *event, struct tep_print_arg *arg, char **tok) } if (!ok) { + /* The token contains the last item before the parenthesis */ free_token(token); - type = read_token_item(event->tep, tok); + type = read_token_item(event->tep, &token); } if (test_type_token(type, token, TEP_EVENT_DELIM, ")")) goto error; |