lttng_enabler_link_bytecode() calls link_bytecode() passing an insertion
location (insert_loc) within the list. This insert location is meant to
be used as cursor position where to add the new element.
However, bytecode_is_linked() uses it as iteration list head, and this
is where things fall apart: it will thus consider the real list head as
being a list node, and will erroneously think that it is contained
within a struct lttng_bytecode_runtime, and thus try to perform possibly
out-of-bound read or read garbage data for the comparison.
It worked fine most of the time because in usual scenarios the insert
location is the list head. It falls apart when many bytecodes are linked
to a given event.
Fixes: 53b9d7db85d ("Decouple `struct lttng_event` from filter code")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: Ie47171e981986a30b45b92f82811ff15aae38ad2
int link_bytecode(const struct lttng_event_desc *event_desc,
struct lttng_ctx **ctx,
struct lttng_ust_bytecode_node *bytecode,
int link_bytecode(const struct lttng_event_desc *event_desc,
struct lttng_ctx **ctx,
struct lttng_ust_bytecode_node *bytecode,
+ struct cds_list_head *bytecode_runtime_head,
struct cds_list_head *insert_loc)
{
int ret, offset, next_offset;
struct cds_list_head *insert_loc)
{
int ret, offset, next_offset;
if (!bytecode)
return 0;
/* Bytecode already linked */
if (!bytecode)
return 0;
/* Bytecode already linked */
- if (bytecode_is_linked(bytecode, insert_loc))
+ if (bytecode_is_linked(bytecode, bytecode_runtime_head))
return 0;
dbg_printf("Linking...\n");
return 0;
dbg_printf("Linking...\n");
insert_loc = instance_bytecode_head;
add_within:
dbg_printf("linking bytecode\n");
insert_loc = instance_bytecode_head;
add_within:
dbg_printf("linking bytecode\n");
- ret = link_bytecode(event_desc, ctx, enabler_bc, insert_loc);
+ ret = link_bytecode(event_desc, ctx, enabler_bc, instance_bytecode_head, insert_loc);
if (ret) {
dbg_printf("[lttng filter] warning: cannot link event bytecode\n");
}
if (ret) {
dbg_printf("[lttng filter] warning: cannot link event bytecode\n");
}