From: Mathieu Desnoyers Date: Fri, 12 Mar 2021 13:42:23 +0000 (-0500) Subject: Fix: bytecode linker: iteration on wrong list head X-Git-Tag: v2.13.0-rc1~305 X-Git-Url: https://git.lttng.org./?a=commitdiff_plain;h=5bdf9cccfc9093cafbaf5dfd1d9d69aae2ac598d;p=lttng-ust.git Fix: bytecode linker: iteration on wrong list head lttng_enabler_link_bytecode() calls link_bytecode() passing an insertion location (insert_loc) within the list. This insert location is meant to be used as cursor position where to add the new element. However, bytecode_is_linked() uses it as iteration list head, and this is where things fall apart: it will thus consider the real list head as being a list node, and will erroneously think that it is contained within a struct lttng_bytecode_runtime, and thus try to perform possibly out-of-bound read or read garbage data for the comparison. It worked fine most of the time because in usual scenarios the insert location is the list head. It falls apart when many bytecodes are linked to a given event. Fixes: 53b9d7db85d ("Decouple `struct lttng_event` from filter code") Signed-off-by: Mathieu Desnoyers Change-Id: Ie47171e981986a30b45b92f82811ff15aae38ad2 --- diff --git a/liblttng-ust/lttng-bytecode.c b/liblttng-ust/lttng-bytecode.c index 6cc3179d..81c83cef 100644 --- a/liblttng-ust/lttng-bytecode.c +++ b/liblttng-ust/lttng-bytecode.c @@ -398,6 +398,7 @@ static int link_bytecode(const struct lttng_event_desc *event_desc, struct lttng_ctx **ctx, struct lttng_ust_bytecode_node *bytecode, + struct cds_list_head *bytecode_runtime_head, struct cds_list_head *insert_loc) { int ret, offset, next_offset; @@ -408,7 +409,7 @@ int link_bytecode(const struct lttng_event_desc *event_desc, if (!bytecode) return 0; /* Bytecode already linked */ - if (bytecode_is_linked(bytecode, insert_loc)) + if (bytecode_is_linked(bytecode, bytecode_runtime_head)) return 0; dbg_printf("Linking...\n"); @@ -577,7 +578,7 @@ void lttng_enabler_link_bytecode(const struct lttng_event_desc *event_desc, insert_loc = instance_bytecode_head; add_within: dbg_printf("linking bytecode\n"); - ret = link_bytecode(event_desc, ctx, enabler_bc, insert_loc); + ret = link_bytecode(event_desc, ctx, enabler_bc, instance_bytecode_head, insert_loc); if (ret) { dbg_printf("[lttng filter] warning: cannot link event bytecode\n"); }