Commit 2e60e0ad authored Mar 29, 2025 by Natalia Petrova Committed by Tengda Wu Mar 29, 2025

trace_events_hist: add check for return value of 'create_hist_field'

stable inclusion
from stable-v4.19.272
commit d2d1ada58e7cc100b8d7d6b082d19321ba4a700a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVXP
CVE: CVE-2023-53005

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d2d1ada58e7cc100b8d7d6b082d19321ba4a700a

--------------------------------

commit 8b152e91 upstream.

Function 'create_hist_field' is called recursively at
trace_events_hist.c:1954 and can return NULL-value that's why we have
to check it to avoid null pointer dereference.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Link: https://lkml.kernel.org/r/20230111120409.4111-1-n.petrova@fintech.ru



Cc: stable@vger.kernel.org
Fixes: 30350d65 ("tracing: Add variable support to hist triggers")
Signed-off-by: Natalia Petrova <n.petrova@fintech.ru>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tengda Wu <wutengda2@huawei.com>

parent 6248c98d

kernel/trace/trace_events_hist.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2234,6 +2234,8 @@ static struct hist_field create_hist_field(struct hist_trigger_data hist_data,
		unsigned long fl = flags & ~HIST_FIELD_FL_LOG2;
		hist_field->fn = hist_field_log2;
		hist_field->operands[0] = create_hist_field(hist_data, field, fl, NULL);
		if (!hist_field->operands[0])
		goto free;
		hist_field->size = hist_field->operands[0]->size;
		hist_field->type = kstrdup(hist_field->operands[0]->type, GFP_KERNEL);
		if (!hist_field->type)