From fa9c4977fbfbca182f9e410d57b3f98356a9d917 Mon Sep 17 00:00:00 2001 From: Ian Rogers Date: Thu, 1 May 2025 00:00:03 -0700 Subject: [PATCH] perf symbol-minimal: Fix double free in filename__read_build_id Running the "perf script task-analyzer tests" with address sanitizer showed a double free: ``` FAIL: "test_csv_extended_times" Error message: "Failed to find required string:'Out-Out;'." ================================================================= ==19190==ERROR: AddressSanitizer: attempting double-free on 0x50b000017b10 in thread T0: #0 0x55da9601c78a in free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) #1 0x55da96640c63 in filename__read_build_id tools/perf/util/symbol-minimal.c:221:2 0x50b000017b10 is located 0 bytes inside of 112-byte region [0x50b000017b10,0x50b000017b80) freed by thread T0 here: #0 0x55da9601ce40 in realloc (perf+0x260e40) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) #1 0x55da96640ad6 in filename__read_build_id tools/perf/util/symbol-minimal.c:204:10 previously allocated by thread T0 here: #0 0x55da9601ca23 in malloc (perf+0x260a23) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) #1 0x55da966407e7 in filename__read_build_id tools/perf/util/symbol-minimal.c:181:9 SUMMARY: AddressSanitizer: double-free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) in free ==19190==ABORTING FAIL: "invocation of perf script report task-analyzer --csv-summary csvsummary --summary-extended command failed" Error message: "" FAIL: "test_csvsummary_extended" Error message: "Failed to find required string:'Out-Out;'." ---- end(-1) ---- 132: perf script task-analyzer tests : FAILED! ``` The buf_size if always set to phdr->p_filesz, but that may be 0 causing a free and realloc to return NULL. This is treated in filename__read_build_id like a failure and the buffer is freed again. To avoid this problem only grow buf, meaning the buf_size will never be 0. This also reduces the number of memory (re)allocations. Fixes: b691f64360ecec49 ("perf symbols: Implement poor man's ELF parser") Signed-off-by: Ian Rogers Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20250501070003.22251-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo --- tools/perf/util/symbol-minimal.c | 34 +++++++++++++++++--------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c index c6f369b5d893f..d8da3da01fe6b 100644 --- a/tools/perf/util/symbol-minimal.c +++ b/tools/perf/util/symbol-minimal.c @@ -147,18 +147,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid) if (phdr->p_type != PT_NOTE) continue; - buf_size = phdr->p_filesz; offset = phdr->p_offset; - tmp = realloc(buf, buf_size); - if (tmp == NULL) - goto out_free; - - buf = tmp; + if (phdr->p_filesz > buf_size) { + buf_size = phdr->p_filesz; + tmp = realloc(buf, buf_size); + if (tmp == NULL) + goto out_free; + buf = tmp; + } fseek(fp, offset, SEEK_SET); - if (fread(buf, buf_size, 1, fp) != 1) + if (fread(buf, phdr->p_filesz, 1, fp) != 1) goto out_free; - ret = read_build_id(buf, buf_size, bid, need_swap); + ret = read_build_id(buf, phdr->p_filesz, bid, need_swap); if (ret == 0) { ret = bid->size; break; @@ -199,18 +200,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid) if (phdr->p_type != PT_NOTE) continue; - buf_size = phdr->p_filesz; offset = phdr->p_offset; - tmp = realloc(buf, buf_size); - if (tmp == NULL) - goto out_free; - - buf = tmp; + if (phdr->p_filesz > buf_size) { + buf_size = phdr->p_filesz; + tmp = realloc(buf, buf_size); + if (tmp == NULL) + goto out_free; + buf = tmp; + } fseek(fp, offset, SEEK_SET); - if (fread(buf, buf_size, 1, fp) != 1) + if (fread(buf, phdr->p_filesz, 1, fp) != 1) goto out_free; - ret = read_build_id(buf, buf_size, bid, need_swap); + ret = read_build_id(buf, phdr->p_filesz, bid, need_swap); if (ret == 0) { ret = bid->size; break; -- 2.39.5