Modify tracepoint name into 2 sys components and assemble at use. This avoids the sys_name array being out of scope at the point of use. Bug caught with LLVM's address sanitizer with fuzz generated input of ":cs\1" to parse_events.
Signed-off-by: Ian Rogers <[email protected]> --- tools/perf/util/parse-events.y | 36 +++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/tools/perf/util/parse-events.y b/tools/perf/util/parse-events.y index 48126ae4cd13..28be39a703c9 100644 --- a/tools/perf/util/parse-events.y +++ b/tools/perf/util/parse-events.y @@ -104,7 +104,8 @@ static void inc_group_count(struct list_head *list, struct list_head *head; struct parse_events_term *term; struct tracepoint_name { - char *sys; + char *sys1; + char *sys2; char *event; } tracepoint_name; struct parse_events_array array; @@ -425,9 +426,19 @@ tracepoint_name opt_event_config if (error) error->idx = @1.first_column; - if (parse_events_add_tracepoint(list, &parse_state->idx, $1.sys, $1.event, - error, $2)) - return -1; + if ($1.sys2) { + char sys_name[128]; + snprintf(&sys_name, sizeof(sys_name), "%s-%s", + $1.sys1, $1.sys2); + if (parse_events_add_tracepoint(list, &parse_state->idx, + sys_name, $1.event, + error, $2)) + return -1; + } else + if (parse_events_add_tracepoint(list, &parse_state->idx, + $1.sys1, $1.event, + error, $2)) + return -1; $$ = list; } @@ -435,19 +446,22 @@ tracepoint_name opt_event_config tracepoint_name: PE_NAME '-' PE_NAME ':' PE_NAME { - char sys_name[128]; - struct tracepoint_name tracepoint; - - snprintf(&sys_name, 128, "%s-%s", $1, $3); - tracepoint.sys = &sys_name; - tracepoint.event = $5; + struct tracepoint_name tracepoint = { + .sys1 = $1, + .sys2 = $3, + .event = $5, + }; $$ = tracepoint; } | PE_NAME ':' PE_NAME { - struct tracepoint_name tracepoint = {$1, $3}; + struct tracepoint_name tracepoint = { + .sys1 = $1, + .sys2 = NULL, + .event = $3, + }; $$ = tracepoint; } -- 2.23.0.700.g56cf767bdb-goog
