From patchwork Mon Sep 20 02:54:17 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnaud Lacombe <lacombar@gmail.com>
X-Patchwork-Id: 194152
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o8K2sJoK029088
	for <patchwork-kbuild@patchwork.kernel.org>;
	Mon, 20 Sep 2010 02:54:19 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755416Ab0ITCyT (ORCPT
	<rfc822;patchwork-kbuild@patchwork.kernel.org>);
	Sun, 19 Sep 2010 22:54:19 -0400
Received: from mail-wy0-f174.google.com ([74.125.82.174]:35896 "EHLO
	mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754403Ab0ITCyS (ORCPT
	<rfc822;linux-kbuild@vger.kernel.org>);
	Sun, 19 Sep 2010 22:54:18 -0400
Received: by wyf22 with SMTP id 22so3900736wyf.19
	for <linux-kbuild@vger.kernel.org>;
	Sun, 19 Sep 2010 19:54:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:received:in-reply-to
	:references:date:message-id:subject:from:to:cc:content-type;
	bh=kmEuFn+TDOoHq6NTfdbvnCJfHkF/3tsUtIKu/01OnHk=;
	b=wLzH3emP5LKLJmCM+pkP6IjmaBJsuT1ENJXHC0vbYvi6YxBYuYttuPt6qO8i/0/csU
	5DcbTj1Ca6LgGCo0sCHrjqY6r3FgsXMz4pgSwx7ExX5h56hfCyd3fFW1fwZpfWnRW7bA
	hGL0vMHPOq4m2ft//fglI+/lLTgfyhKi/mO0M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	b=qHceuuNjpx61ZDoZJRVwIwXS0pjJlBIn/W8cpLHvLcqBW0EdBfJgv70aOBLnbvLXyL
	22FghGU6VHLMgUs7Etlhqi+jaWvfbAyStRKOidKj8sK6CW7tEXpOUSv/uBpiht8RUm02
	m052qkl/qP2kCrFzTs656fLqUF4y5sd5YKiGk=
MIME-Version: 1.0
Received: by 10.216.93.9 with SMTP id k9mr7257250wef.89.1284951257470;
	Sun, 19 Sep 2010 19:54:17 -0700 (PDT)
Received: by 10.216.229.99 with HTTP; Sun, 19 Sep 2010 19:54:17 -0700 (PDT)
In-Reply-To: <AANLkTim1EmMOFERs7rwG=zg_AZrXtojE7dKV7Rhf17Ww@mail.gmail.com>
References: <AANLkTim1EmMOFERs7rwG=zg_AZrXtojE7dKV7Rhf17Ww@mail.gmail.com>
Date: Sun, 19 Sep 2010 22:54:17 -0400
Message-ID: <AANLkTinMZj-_neS4jNM+b6-Dk7qzVMsR6DwyX2SHk3kt@mail.gmail.com>
Subject: Re: Stale expression reference causing use-after-free
From: Arnaud Lacombe <lacombar@gmail.com>
To: Catalin Marinas <catalin.marinas@arm.com>, Michal Marek <mmarek@suse.cz>
Cc: linux-kbuild@vger.kernel.org
Sender: linux-kbuild-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kbuild.vger.kernel.org>
X-Mailing-List: linux-kbuild@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]);
	Mon, 20 Sep 2010 02:54:20 +0000 (UTC)


diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c
index ccd6563..e2b7f01 100644
--- a/scripts/kconfig/expr.c
+++ b/scripts/kconfig/expr.c
@@ -63,12 +59,18 @@ struct expr *expr_alloc_or(struct expr *e1, struct expr *e2)
 	return e2 ? expr_alloc_two(E_OR, e1, e2) : e1;
 }
 
+int expr_copy_nest = 0;
+
 struct expr *expr_copy(struct expr *org)
 {
 	struct expr *e;
 
-	if (!org)
-		return NULL;
+	expr_copy_nest++;
+
+	if (!org) {
+		e = NULL;
+		goto bail_out;
+	}
 
 	e = malloc(sizeof(*org));
 	memcpy(e, org, sizeof(*org));
@@ -97,6 +99,9 @@ struct expr *expr_copy(struct expr *org)
 		break;
 	}
 
+bail_out:
+	expr_copy_nest--;
+
 	return e;
 }