Fix trace messages

Resolves: RHEL-80321 Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
2025-04-28 10:40:49 +02:00 · 2025-04-28 10:40:49 +02:00 · e00834ead6
commit e00834ead6
parent bf8b84de0e
2 changed files with 82 additions and 1 deletions
--- a/trace-cmd-lib-Copy-message-buffer-content-in-get_tra.patch
+++ b/trace-cmd-lib-Copy-message-buffer-content-in-get_tra.patch
@ -0,0 +1,77 @@
+From e81cd4e30c368867e424231c160c5392d41425f9 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Wed, 2 Apr 2025 17:07:51 +0200
+Subject: [PATCH] trace-cmd lib: Copy message buffer content in
+ get_trace_req_args()
+
+The description of  tracecmd_msg_recv_trace_req() calls for freeing
+argv[0] after a successful call. However the address pointed by
+argv[0] which is set in get_trace_req_args() points to msg.buf, which
+is then freed. This cause use-after-free errors, in particular when
+the trace-agent free argv[0] as recommended.
+
+Fix this by copying the content of the message buffer to argv[0] in
+get_trace_req_args().
+
+Fixes the following error. On the guest:
+$ trace-cmd agent
+listening on @3:823
+free(): invalid pointer
+
+On the host:
+$ trace-cmd record  -A @3:823 -p function echo nothing
+Negotiated kvm time sync protocol with guest unnamed-0
+reading client -110 (Unknown error -110)
+nothing
+  cannot create output handle
+
+Link: https://lore.kernel.org/20250402150751.335229-1-jmarchan@redhat.com
+Fixes: 08b9d5076455c ("trace-cmd: Basic infrastructure for host - guest timestamp synchronization")
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+---
+ lib/trace-cmd/trace-msg.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/lib/trace-cmd/trace-msg.c b/lib/trace-cmd/trace-msg.c
+index 5739c171..8d15ce07 100644
+--- a/lib/trace-cmd/trace-msg.c
+++ b/lib/trace-cmd/trace-msg.c
+@@ -1247,7 +1247,7 @@ static int get_trace_req_protos(char *buf, int length,
+ static int get_trace_req_args(char *buf, int length, int *argc, char ***argv)
+ {
+ 	unsigned int nr_args;
+-	char *p, *buf_end;
+	char *p = NULL, *buf_end;
+ 	char **args = NULL;
+ 	int ret;
+ 	int i;
+@@ -1267,8 +1267,15 @@ static int get_trace_req_args(char *buf, int length, int *argc, char ***argv)
+ 		goto out;
+ 	}
+ 
+-	buf_end = buf + length;
+-	for (i = 0, p = buf; i < nr_args; i++, p++) {
+	p = malloc(length);
+	if (!p) {
+		ret = -ENOMEM;
+		goto out;
+	}
+	memcpy(p, buf, length);
+
+	buf_end = p + length;
+	for (i = 0; i < nr_args; i++, p++) {
+ 		if (p >= buf_end) {
+ 			ret = -EINVAL;
+ 			goto out;
+@@ -1282,6 +1289,7 @@ static int get_trace_req_args(char *buf, int length, int *argc, char ***argv)
+ 	return 0;
+ 
+ out:
+	free(p);
+ 	free(args);
+ 	return ret;
+ 
+-- 
+2.49.0
+
--- a/trace-cmd.spec
+++ b/trace-cmd.spec
@ -6,7 +6,7 @@

 Name: trace-cmd
 Version: %{srcversion}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPL-2.1-only AND LGPL-2.1-or-later AND GPL-2.0-only AND GPL-2.0-or-later
 Summary: A user interface to Ftrace

@ -30,6 +30,7 @@ Patch5: trace-cmd-lib-Prevent-memory-leak-in-tracecmd_create.patch
 Patch6: trace-cmd-mem-Prevent-a-memory-leak-in-trace_mem.patch
 Patch7: trace-cmd-record-Check-the-length-of-the-protocol-ve.patch
 Patch8: trace-cmd-Prevent-buffer-overflow-in-update_pid_filt.patch
+Patch9: trace-cmd-lib-Copy-message-buffer-content-in-get_tra.patch

 BuildRequires: make
 BuildRequires: gcc
@ -111,6 +112,9 @@ rm -rf %{buildroot}/%{_mandir}/man3/*
 %{_libdir}/%{name}/python/

 %changelog
+* Thu Apr 24 2025 Jerome Marchand <jmarchan@redhat.com> - 3.3.1-3
+- Fix trace messages (RHEL-80321)
+
 * Wed Jan 15 2025 Jerome Marchand <jmarchan@redhat.com> - 3.3.1-2
 - Prevent buffer overflow in update_pid_filters() (RHEL-56731)