When consumer_stream_destroy() is called from, for example, the error
path in setup_metadata(), consumer_stream_free() can end up being called
twice on the same stream. Since the stream->metadata_bucket is not set
to NULL after being destroyed, it leads to a use-after-free:
ERROR: AddressSanitiz
- Message original -
> De: "lttng-dev"
> À: "lttng-dev"
> Cc: ker...@axis.com
> Envoyé: Vendredi 25 Février 2022 10:12:02
> Objet: [lttng-dev] [PATCH lttng-tools] Fix: consumer-stream: use-after-free
> of metadata bucket
> When consumer_str
On Tue, Mar 01, 2022 at 06:19:23PM +0100, Jérémie Galarneau wrote:
> Thanks a lot for reporting the problem. If I understand the ASAN
> report correctly, the stream itself will also be double free'd, so
> I don't think this is the complete fix.
Yeah, it looked odd that consumer_stream_destroy() is
itchurch"
> To: "Jeremie Galarneau"
> Cc: "lttng-dev" , "kernel"
> Sent: Wednesday, March 2, 2022 4:27:30 AM
> Subject: Re: [lttng-dev] [PATCH lttng-tools] Fix: consumer-stream:
> use-after-free of metadata bucket
> On Tue, Mar 01, 2022 at 0
On Mon, Mar 07, 2022 at 06:37:49PM +0100, Jérémie Galarneau wrote:
> I had a chance to look into this and came up with the following fix:
> https://review.lttng.org/c/lttng-tools/+/7478/4
>
> Would you have a chance to try it on your end before I merge it?
I've tested the patch stack in patch set
