[PATCH v1] perf symbol: Avoid use after free
From: Ian Rogers
Date: Tue Mar 28 2023 - 19:44:31 EST
If demangling succeeds then sym_name is set to the demangled string
that is freed. Rather than test if sym_name is empty and possibly
use-after-free on the return path, expand out the alternatives.
Signed-off-by: Ian Rogers <irogers@xxxxxxxxxx>
---
tools/perf/util/symbol-elf.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index c0a2de42c51b..b7e3e492bff3 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -577,15 +577,17 @@ static bool get_plt_got_name(GElf_Shdr *shdr, size_t i,
/* Get the associated symbol */
gelf_getsym(di->dynsym_data, vr->sym_idx, &sym);
sym_name = elf_sym__name(&sym, di->dynstr_data);
- demangled = demangle_sym(di->dso, 0, sym_name);
- if (demangled != NULL)
- sym_name = demangled;
-
- snprintf(buf, buf_sz, "%s@plt", sym_name);
-
- free(demangled);
+ if (*sym_name == '\0')
+ return false;
- return *sym_name;
+ demangled = demangle_sym(di->dso, 0, sym_name);
+ if (demangled != NULL) {
+ snprintf(buf, buf_sz, "%s@plt", demangled);
+ free(demangled);
+ } else {
+ snprintf(buf, buf_sz, "%s@plt", sym_name);
+ }
+ return true;
}
static int dso__synthesize_plt_got_symbols(struct dso *dso, Elf *elf,
--
2.40.0.348.gf938b09366-goog