From a345f62132ac5b75d752af0741ac82da291f176d Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Fri, 12 Mar 2021 09:36:46 -0500
Subject: [PATCH] Fix: bytecode linker: iteration on wrong list head

lttng_enabler_link_bytecode() calls link_bytecode() passing an insertion
location (insert_loc) within the list. This insert location is meant to
be used as cursor position where to add the new element.

However, bytecode_is_linked() uses it as iteration list head, and this
is where things fall apart: it will thus consider the real list head as
being a list node, and will erroneously think that it is contained
within a struct lttng_bytecode_runtime, and thus try to perform possibly
out-of-bound read or read garbage data for the comparison.

It worked fine most of the time because in usual scenarios the insert
location is the list head. It falls apart when many bytecodes are linked
to a given event.

Fixes: 2dfda770cc6 ("Decouple `struct lttng_event` from filter code")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Change-Id: I7463c7a9399b8f7f7d0e3d74e6427aae46cf56ff
---
 src/lttng-bytecode.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/lttng-bytecode.c b/src/lttng-bytecode.c
index 86ffe949..343e5380 100644
--- a/src/lttng-bytecode.c
+++ b/src/lttng-bytecode.c
@@ -398,6 +398,7 @@ static
 int link_bytecode(const struct lttng_event_desc *event_desc,
 		struct lttng_ctx *ctx,
 		struct lttng_bytecode_node *bytecode,
+		struct list_head *bytecode_runtime_head,
 		struct list_head *insert_loc)
 {
 	int ret, offset, next_offset;
@@ -407,7 +408,7 @@ int link_bytecode(const struct lttng_event_desc *event_desc,
 	if (!bytecode)
 		return 0;
 	/* Bytecode already linked */
-	if (bytecode_is_linked(bytecode, insert_loc))
+	if (bytecode_is_linked(bytecode, bytecode_runtime_head))
 		return 0;
 
 	dbg_printk("Linking...\n");
@@ -566,7 +567,7 @@ void lttng_enabler_link_bytecode(const struct lttng_event_desc *event_desc,
 		insert_loc = instance_bytecode_head;
 	add_within:
 		dbg_printk("linking bytecode\n");
-		ret = link_bytecode(event_desc, ctx, enabler_bc, insert_loc);
+		ret = link_bytecode(event_desc, ctx, enabler_bc, instance_bytecode_head, insert_loc);
 		if (ret) {
 			dbg_printk("[lttng filter] warning: cannot link event bytecode\n");
 		}
-- 
2.34.1