lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 12 Feb 2010 19:17:24 +1100
From:	Anton Blanchard <anton@...ba.org>
To:	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Paul Mackerras <paulus@...ba.org>, Ingo Molnar <mingo@...e.hu>,
	Frederic Weisbecker <fweisbec@...il.com>,
	Arnaldo Carvalho de Melo <acme@...hat.com>
Cc:	linux-kernel@...r.kernel.org
Subject: perf annotate SEGVs


Hi,

I think I understand a problem in perf annotate where I see random corruption
(rb tree issues, glibc malloc failures etc).

The issue happens with zero length symbols, in this particular case they
are kernel functions written entirely in assembly, eg .copy_4K_page,
.__copy_tofrom_user and .memcpy:

   Num:    Value          Size Type    Bind   Vis      Ndx Name
 63516: c00000000004a774   212 FUNC    GLOBAL DEFAULT    1 .devm_ioremap_prot
 69095: c00000000004a848     0 FUNC    GLOBAL DEFAULT    1 .copy_4K_page
 62002: c00000000004aa00     0 FUNC    GLOBAL DEFAULT    1 .__copy_tofrom_user
 50576: c00000000004b000     0 FUNC    GLOBAL DEFAULT    1 .memcpy
 69557: c00000000004b278   176 FUNC    GLOBAL DEFAULT    1 .copy_in_user
 51841: c00000000004b328   144 FUNC    GLOBAL DEFAULT    1 .copy_to_user

In symbol_filter we look at the length of each symbol:

static int symbol_filter(struct map *map __used, struct symb
...
                const int size = (sizeof(*priv->hist) +
                                 (sym->end - sym->start) * sizeof(u64));
 
And since start == end we create 0 bytes of space for the ip[] array.

Later on in hist_hit we then start indexing off this array:

       h->ip[offset]++;

Which then corrupts whatever is next in memory. With large assembly functions
we corrupt a lot :)

How should we fix this? Do we need to do a first pass through our symbols
to fixup ->end before allocating the ->ip[] arrays?

Anton
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ