[DTrace-devel] [PATCH] Memory corruption fix during dynamic pid probe creation

[Kris Van Hees]

The discovery and creation process for pid probes can sometimes
cause the function name to be replaced in the probe description that
is used to create pid probes.  When that probe description copied
its content from a ECB probe description, we cannot just replcae the
function name value and free the original one because other code data
may still hold a reference to that function name string.

Make a copy before doing pid probe processing, and free the copy once
we are done.

Signed-off-by: Kris Van Hees <kris.van.hees at oracle.com>
---
 libdtrace/dt_pid.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libdtrace/dt_pid.c b/libdtrace/dt_pid.c
index cdc9a1d7..fef17292 100644
--- a/libdtrace/dt_pid.c
+++ b/libdtrace/dt_pid.c
@@ -784,7 +784,7 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 {
 	dtrace_prog_t *pgp;
 	dt_stmt_t *stp;
-	dtrace_probedesc_t *pdp, pd;
+	dtrace_probedesc_t *pdp;
 	pid_t pid;
 	int ret = 0, found = B_FALSE;
 	char provname[DTRACE_PROVNAMELEN];
@@ -793,6 +793,7 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 
 	for (pgp = dt_list_next(&dtp->dt_programs); pgp != NULL;
 	    pgp = dt_list_next(pgp)) {
+		dtrace_probedesc_t	pd;
 
 		for (stp = dt_list_next(&pgp->dp_stmts); stp != NULL;
 		    stp = dt_list_next(stp)) {
@@ -805,6 +806,7 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 			found = B_TRUE;
 
 			pd = *pdp;
+			pd.fun = strdup(pd.fun);	/* we may change it */
 
 			if (gmatch(provname, pdp->prv) != 0 &&
 			    dt_pid_create_pid_probes(&pd, dtp, NULL, dpr) != 0)
@@ -819,6 +821,8 @@ dt_pid_create_probes_module(dtrace_hdl_t *dtp, dt_proc_t *dpr)
 			    dt_pid_create_usdt_probes(&pd, dtp, NULL, dpr) != 0)
 				ret = 1;
 #endif
+
+			free((char *)pd.fun);
 		}
 	}
 
-- 
2.28.0