tracing: Have error path in predicate_parse() free its allocated memory

CVE-2019-19072

In predicate_parse, there is an error path that is not going to
out_free instead it returns directly which leads to a memory leak.

Link: http://lkml.kernel.org/r/20190920225800.3870-1-navid.emamdoost@gmail.com
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
(cherry picked from commit 96c5c6e6a5b6db592acae039fed54b5c8844cd35)
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
Acked-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index c773b8fb270c51a99f259edb51fd1f55b7202517..c9a74f82b14a279c270268c43cad6287d691d438 100644 (file)
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -452,8 +452,10 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
 
                switch (*next) {
                case '(':                                       /* #2 */
-                       if (top - op_stack > nr_parens)
-                               return ERR_PTR(-EINVAL);
+                       if (top - op_stack > nr_parens) {
+                               ret = -EINVAL;
+                               goto out_free;
+                       }
                        *(++top) = invert;
                        continue;
                case '!':                                       /* #3 */