[PATCH 3/7] perf c2c: Fix use-after-free in he__get_c2c_hists() error path

Next message: Arnaldo Carvalho de Melo: "[PATCH 4/7] perf timechart: Fix cpu2y() OOB read on untrusted CPU index"
Previous message: Arnaldo Carvalho de Melo: "[PATCH v1 0/7] perf tools: Fix NULL derefs, OOB reads, use-after-free, and memory leaks"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env-&gt;cpu"
Next in thread: Arnaldo Carvalho de Melo: "[PATCH 4/7] perf timechart: Fix cpu2y() OOB read on untrusted CPU index"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Sat Jun 06 2026 - 16:07:15 EST

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

he__get_c2c_hists() assigns c2c_he->hists before calling
c2c_hists__init(). If init fails, the error path calls free(hists)
but leaves c2c_he->hists pointing to freed memory. On teardown,
c2c_he_free() finds the non-NULL pointer and calls
hists__delete_entries() on it, causing a use-after-free.

Set c2c_he->hists to NULL before freeing so teardown skips the
already-freed allocation.

Fixes: b2252ae67b687d2b ("perf c2c report: Decode c2c_stats for hist entries")
Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
Cc: Jiri Olsa <jolsa@xxxxxxxxxx>
Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/builtin-c2c.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
index cfc1ebe8c0af74dc..e205f58b2f3d3786 100644
--- a/tools/perf/builtin-c2c.c
+++ b/tools/perf/builtin-c2c.c
@@ -225,6 +225,7 @@ he__get_c2c_hists(struct hist_entry *he,

ret = c2c_hists__init(hists, sort, nr_header_lines, env);
if (ret) {
+ c2c_he->hists = NULL;
free(hists);
return NULL;
}
--
2.54.0