-
-
Notifications
You must be signed in to change notification settings - Fork 187
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
linux 5.10.5: backporting linux upstream patch for 5.10.5 (libsubcmd …
…fix use after free for realloc) Permits building on top of debian-12 (testing), which fails to build since detecting bug.
- Loading branch information
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
patches/linux-5.10.5/0004-libsubcmd_Fix_use-after-free-for-realloc.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001 | ||
| From: Kees Cook <[email protected]> | ||
| Date: Sun, 13 Feb 2022 10:24:43 -0800 | ||
| Subject: [PATCH] libsubcmd: Fix use-after-free for realloc(..., 0) | ||
| MIME-Version: 1.0 | ||
| Content-Type: text/plain; charset=UTF-8 | ||
| Content-Transfer-Encoding: 8bit | ||
|
|
||
| GCC 12 correctly reports a potential use-after-free condition in the | ||
| xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)" | ||
| when size == 0: | ||
|
|
||
| In file included from help.c:12: | ||
| In function 'xrealloc', | ||
| inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free] | ||
| 56 | ret = realloc(ptr, size); | ||
| | ^~~~~~~~~~~~~~~~~~ | ||
| subcmd-util.h:52:21: note: call to 'realloc' here | ||
| 52 | void *ret = realloc(ptr, size); | ||
| | ^~~~~~~~~~~~~~~~~~ | ||
| subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free] | ||
| 58 | ret = realloc(ptr, 1); | ||
| | ^~~~~~~~~~~~~~~ | ||
| subcmd-util.h:52:21: note: call to 'realloc' here | ||
| 52 | void *ret = realloc(ptr, size); | ||
| | ^~~~~~~~~~~~~~~~~~ | ||
|
|
||
| Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence") | ||
| Reported-by: Valdis Klētnieks <[email protected]> | ||
| Signed-off-by: Kees Kook <[email protected]> | ||
| Tested-by: Valdis Klētnieks <[email protected]> | ||
| Tested-by: Justin M. Forbes <[email protected]> | ||
| Acked-by: Josh Poimboeuf <[email protected]> | ||
| Cc: [email protected] | ||
| Cc: Valdis Klētnieks <[email protected]> | ||
| Link: http://lore.kernel.org/lkml/[email protected] | ||
| Signed-off-by: Arnaldo Carvalho de Melo <[email protected]> | ||
| --- | ||
| tools/lib/subcmd/subcmd-util.h | 11 ++--------- | ||
| 1 file changed, 2 insertions(+), 9 deletions(-) | ||
|
|
||
| diff --git a/tools/lib/subcmd/subcmd-util.h b/tools/lib/subcmd/subcmd-util.h | ||
| index 794a375dad3601..b2aec04fce8f67 100644 | ||
| --- a/tools/lib/subcmd/subcmd-util.h | ||
| +++ b/tools/lib/subcmd/subcmd-util.h | ||
| @@ -50,15 +50,8 @@ static NORETURN inline void die(const char *err, ...) | ||
| static inline void *xrealloc(void *ptr, size_t size) | ||
| { | ||
| void *ret = realloc(ptr, size); | ||
| - if (!ret && !size) | ||
| - ret = realloc(ptr, 1); | ||
| - if (!ret) { | ||
| - ret = realloc(ptr, size); | ||
| - if (!ret && !size) | ||
| - ret = realloc(ptr, 1); | ||
| - if (!ret) | ||
| - die("Out of memory, realloc failed"); | ||
| - } | ||
| + if (!ret) | ||
| + die("Out of memory, realloc failed"); | ||
| return ret; | ||
| } | ||
|
|
||
|
|