[PATCH 6/6] subcmd: fix memory leak in parse_options_subcommand

[Wang Haoran]

>From 9e71ffe9400fd54c4fc958b16229e5628271e4ad Mon Sep 17 00:00:00 2001
From: Wang Haoran <haoranwangsec@xxxxxxxxx>
Date: Thu, 28 May 2026 15:18:33 +0800
Subject: [PATCH 6/6] subcmd: fix memory leak in parse_options_subcommand

When subcommands are present and no usage string has been provided,
parse_options_subcommand() builds a usage string via astrcat() and
stores it in usagestr[0], but never frees it.  The allocation leaks
on every normal return path.

Move the buf pointer to function scope and free it before returning.

Fixes: <parse_options_subcommand>
Signed-off-by: Wang Haoran <haoranwangsec@xxxxxxxxx>
---
 tools/lib/subcmd/parse-options.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/lib/subcmd/parse-options.c b/tools/lib/subcmd/parse-options.c
index 555d617c1..1eb8053e8 100644
--- a/tools/lib/subcmd/parse-options.c
+++ b/tools/lib/subcmd/parse-options.c
@@ -633,10 +633,10 @@ int parse_options_subcommand(int argc, const char **argv, const struct option *o
 			const char *const subcommands[], const char *usagestr[], int flags)
 {
 	struct parse_opt_ctx_t ctx;
+	char *buf = NULL;
 
 	/* build usage string if it's not provided */
 	if (subcommands && !usagestr[0]) {
-		char *buf = NULL;
 
 		astrcatf(&buf, "%s %s [<options>] {", subcmd_config.exec_name, argv[0]);
 
@@ -680,6 +680,7 @@ int parse_options_subcommand(int argc, const char **argv, const struct option *o
 		usage_with_options(usagestr, options);
 	}
 
+	free(buf);
 	return parse_options_end(&ctx);
 }
 
-- 
2.53.0



---
ASan output on perf 7.0.6 (unpatched) with the attached PoC:

Perf file header corrupt: header overlaps attrs
incompatible file format (rerun with -v to learn more)
Perf session creation failed.

=================================================================
==55949==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 73 byte(s) in 1 object(s) allocated from:
    #0 0x77ab3032b60f in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:67
    #1 0x77ab2ee96e6e in __vasprintf_internal libio/vasprintf.c:116
    #2 0x77ab2ef43172 in ___asprintf_chk debug/asprintf_chk.c:34
    #3 0x568d03932ee3 in asprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:206
    #4 0x568d03932ee3 in astrcat 
    #5 0x568d03932ee3 in parse_options_subcommand 
    #6 0x568d038cdef0 in cmd_sched (perf+0x33eef0) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #7 0x568d0391287f in handle_internal_command (perf+0x38387f) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #8 0x568d03785836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #9 0x77ab2ee2a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:59
    #10 0x77ab2ee2a717 in __libc_start_main_impl ../csu/libc-start.c:360
    #11 0x568d0378d754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)

Objects leaked above:
0x741b2e1e0800 (73 bytes)

SUMMARY: AddressSanitizer: 73 byte(s) leaked in 1 allocation(s).

Attachment: crash_err255_iter46.data
Description: Binary data