| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Sep 2015 12:01:58 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Stephane Eranian <eranian@...gle.com>
Cc: Sasha Levin <sasha.levin@...cle.com>,
Ingo Molnar <mingo@...nel.org>,
Vince Weaver <vincent.weaver@...ne.edu>,
Jiri Olsa <jolsa@...hat.com>,
"Liang, Kan" <kan.liang@...el.com>,
LKML <linux-kernel@...r.kernel.org>,
Andrew Hunter <ahh@...gle.com>,
Maria Dimakopoulou <maria.n.dimakopoulou@...il.com>
Subject: Re: [PATCH 01/10] perf,x86: Fix event/group validation
On Thu, Sep 10, 2015 at 01:54:18AM -0700, Stephane Eranian wrote:
> On Fri, Aug 21, 2015 at 1:31 PM, Sasha Levin <sasha.levin@...cle.com> wrote:
> >
> > On 05/21/2015 07:17 AM, Peter Zijlstra wrote:
> > > --- a/arch/x86/kernel/cpu/perf_event_intel.c
> > > +++ b/arch/x86/kernel/cpu/perf_event_intel.c
> > > @@ -2106,7 +2106,7 @@ static struct event_constraint *
> > > intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
> > > struct perf_event *event)
> > > {
> > > - struct event_constraint *c1 = event->hw.constraint;
> > > + struct event_constraint *c1 = cpuc->event_constraint[idx];
> > > struct event_constraint *c2;
> >
> > Hey Peter,
> >
> > I was chasing a memory corruption in this area and I think I found
> > a possible culprit:
> >
> > After this patch, In the code above, we'd access "cpuc->event_constraint[idx]"
> > and read/change memory.
> >
> > The problem is that a valid value for idx is also -1, which isn't checked
> > here, so we end up accessing and possibly corrupting memory that isn't ours.
> >
> >
> I believe your analysis is correct, the following path will create the problem:
>
> validate_group()
> validate_event()
> x86_pmu.get_event_constraints(fake_cpuc, -1, event)
> intel_get_event_constraints(cpuc, idx, event)
> struct event_constraints *c1 = cpuc->event_constraints[idx];
>
> here idx = -1, and the kernel is accessing an invalid memory location.
>
> If think the code could be changed to:
>
> struct event_constraint *c1 = NULL;
> if (idx > -1)
> c1 = cpuc->event_constraints[idx];
>
> idx is not used in the __intel_get_event_constraints() path if I read
> the code correctly.
I prefer >= 0, but yes that looks about right. I still want to rework
all this fake stuff some time, but we should fix this asap.
Something like so then?
---
Subject: perf, intel: Fix out-of-bound
From: Peter Zijlstra <peterz@...radead.org>
Date: Thu Sep 10 11:58:27 CEST 2015
Sasha reported that we can get here with .idx==-1, and
cpuc->event_constraints unallocated.
Cc: stable@...r.kernel.org
Fixes: b371b5943178 ("perf/x86: Fix event/group validation")
Reported-by: Sasha Levin <sasha.levin@...cle.com>
Suggested-by: Stephane Eranian <eranian@...gle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
---
arch/x86/kernel/cpu/perf_event_intel.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2316,9 +2316,12 @@ static struct event_constraint *
intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
struct perf_event *event)
{
- struct event_constraint *c1 = cpuc->event_constraint[idx];
+ struct event_constraint *c1 = NULL;
struct event_constraint *c2;
+ if (idx >= 0) /* fake does < 0 */
+ c1 = cpuc->event_constraint[idx];
+
/*
* first time only
* - static constraint: no change across incremental scheduling calls
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists