[1/2] trace-cmd: Duplicate trace_clock in tracecmd_input handle

Commit Message

Steven Rostedt Dec. 19, 2019, 9:48 p.m. UTC

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

The following crashes:

 # trace-cmd record -C local -e sched -B foo -e irq sleep 1
 # trace-cmd report

The issue is that new instances are copied from the top instance descriptor
and their values are set. This means that the trace_clock field is also
copied which is a pointer to a string.

On freeing of the tracecmd_input handlers, the trace_clock is freed. This
is an issue if the trace_clock was added as an option, because the instance
just has a copy of the top instance, and when the instance descriptor is
freed, it will free the same pointer that was already freed by the
descruction of the top instance descriptor and we have a double free.

Have the creation of the instance tracecmd_input handler descriptor perform
a strdup() and have its own copy of the trace_clock.

Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
---
 lib/trace-cmd/trace-input.c | 7 +++++++
 1 file changed, 7 insertions(+)

Patch

diff --git a/lib/trace-cmd/trace-input.c b/lib/trace-cmd/trace-input.c
index 3b187e3f135b..5688610fe082 100644
--- a/lib/trace-cmd/trace-input.c
+++ b/lib/trace-cmd/trace-input.c
@@ -3398,6 +3398,13 @@  tracecmd_buffer_instance_handle(struct tracecmd_input *handle, int indx)
 	new_handle->nr_buffers = 0;
 	new_handle->buffers = NULL;
 	new_handle->ref = 1;
+	if (handle->trace_clock) {
+		new_handle->trace_clock = strdup(handle->trace_clock);
+		if (!new_handle->trace_clock) {
+			free(new_handle);
+			return NULL;
+		}
+	}
 	new_handle->parent = handle;
 	new_handle->cpustats = NULL;
 	new_handle->hooks = NULL;