diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch new file mode 100644 index 000000000..e51593af2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-25704/0001-perf-core-Fix-a-memory-leak-in-perf_event_parse_addr.patch @@ -0,0 +1,92 @@ +From 7bdb157cdebbf95a1cd94ed2e01b338714075d00 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?kiyin=28=E5=B0=B9=E4=BA=AE=29?= <kiyin@tencent.com> +Date: Wed, 4 Nov 2020 08:23:22 +0300 +Subject: [PATCH] perf/core: Fix a memory leak in + perf_event_parse_addr_filter() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As shown through runtime testing, the "filename" allocation is not +always freed in perf_event_parse_addr_filter(). + +There are three possible ways that this could happen: + + - It could be allocated twice on subsequent iterations through the loop, + - or leaked on the success path, + - or on the failure path. + +Clean up the code flow to make it obvious that 'filename' is always +freed in the reallocation path and in the two return paths as well. + +We rely on the fact that kfree(NULL) is NOP and filename is initialized +with NULL. + +This fixes the leak. No other side effects expected. + +[ Dan Carpenter: cleaned up the code flow & added a changelog. ] +[ Ingo Molnar: updated the changelog some more. ] + +Fixes: 375637bc5249 ("perf/core: Introduce address range filtering") +Signed-off-by: "kiyin(尹亮)" <kiyin@tencent.com> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Cc: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu> +Cc: Anthony Liguori <aliguori@amazon.com> +-- + kernel/events/core.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) +--- + kernel/events/core.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index da467e1dd49a..5a29ab09e72d 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10085,6 +10085,7 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + if (token == IF_SRC_FILE || token == IF_SRC_FILEADDR) { + int fpos = token == IF_SRC_FILE ? 2 : 1; + ++ kfree(filename); + filename = match_strdup(&args[fpos]); + if (!filename) { + ret = -ENOMEM; +@@ -10131,16 +10132,13 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + */ + ret = -EOPNOTSUPP; + if (!event->ctx->task) +- goto fail_free_name; ++ goto fail; + + /* look up the path and grab its inode */ + ret = kern_path(filename, LOOKUP_FOLLOW, + &filter->path); + if (ret) +- goto fail_free_name; +- +- kfree(filename); +- filename = NULL; ++ goto fail; + + ret = -EINVAL; + if (!filter->path.dentry || +@@ -10160,13 +10158,13 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + if (state != IF_STATE_ACTION) + goto fail; + ++ kfree(filename); + kfree(orig); + + return 0; + +-fail_free_name: +- kfree(filename); + fail: ++ kfree(filename); + free_filters_list(filters); + kfree(orig); + +-- +2.17.1 + |