Memory corruption fix during dynamic pid probe creation

The discovery and creation process for pid probes can sometimes cause the function name to be replaced in the probe description that is used to create pid probes. When that probe description copies its content from a ECB probe description, we cannot just replace the function name value and free the original one because other code data may still hold a reference to that function name string. Make a copy before doing pid probe processing, and free the copy once we are done. Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com> Reviewed-by: Eugene Loh <eugene.loh@oracle.com>
oracle · Apr 12, 2021 · 3a58715 · 3a58715
1 parent 6871d8d
commit 3a58715
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/libdtrace/dt_pid.c b/libdtrace/dt_pid.c
@@ -784,7 +784,7 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 {
 	dtrace_prog_t *pgp;
 	dt_stmt_t *stp;
-	dtrace_probedesc_t *pdp, pd;
+	dtrace_probedesc_t *pdp;
 	pid_t pid;
 	int ret = 0, found = B_FALSE;
 	char provname[DTRACE_PROVNAMELEN];
@@ -793,9 +793,9 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 
 	for (pgp = dt_list_next(&dtp->dt_programs); pgp != NULL;
 	    pgp = dt_list_next(pgp)) {
-
 		for (stp = dt_list_next(&pgp->dp_stmts); stp != NULL;
 		    stp = dt_list_next(stp)) {
+			dtrace_probedesc_t	pd;
 
 			pdp = &stp->ds_desc->dtsd_ecbdesc->dted_probe;
 			pid = dt_pid_get_pid(pdp, dtp, NULL, dpr);
@@ -805,6 +805,7 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 			found = B_TRUE;
 
 			pd = *pdp;
+			pd.fun = strdup(pd.fun);	/* we may change it */
 
 			if (gmatch(provname, pdp->prv) != 0 &&
 			    dt_pid_create_pid_probes(&pd, dtp, NULL, dpr) != 0)
@@ -819,6 +820,8 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 			    dt_pid_create_usdt_probes(&pd, dtp, NULL, dpr) != 0)
 				ret = 1;
 #endif
+
+			free((char *)pd.fun);
 		}
 	}