diff options
| author | Kalesh Singh <[email protected]> | 2021-11-17 17:15:42 -0800 |
|---|---|---|
| committer | Steven Rostedt (VMware) <[email protected]> | 2021-11-18 13:53:43 -0500 |
| commit | f86b0aaad741c45aba5a84a27277dd56a96808ba (patch) | |
| tree | 0c3651ee0b42ed100e5babe9e6d43a3dc7b38247 /net/lapb/lapb_timer.c | |
| parent | 8ab774587903771821b59471cc723bba6d893942 (diff) | |
tracing/histogram: Fix UAF in destroy_hist_field()
Calling destroy_hist_field() on an expression will recursively free
any operands associated with the expression. If during expression
parsing the operands of the expression are already set when an error
is encountered, there is no need to explicity free the operands. Doing
so will result in destroy_hist_field() being called twice for the
operands and lead to a use-after-free (UAF) error.
If the operands are associated with the expression, only call
destroy_hist_field() on the expression since the operands will be
recursively freed.
Link: https://lore.kernel.org/all/CAHk-=wgcrEbFgkw9720H3tW-AhHOoEKhYwZinYJw4FpzSaJ6_Q@mail.gmail.com/
Link: https://lkml.kernel.org/r/[email protected]
Suggested-by: Linus Torvalds <[email protected]>
Signed-off-by: Kalesh Singh <[email protected]>
Fixes: 8b5d46fd7a38 ("tracing/histogram: Optimize division by constants")
Reported-by: kernel test robot <[email protected]>
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Diffstat (limited to 'net/lapb/lapb_timer.c')
0 files changed, 0 insertions, 0 deletions