lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120313155102.GA6465@quad>
Date:	Tue, 13 Mar 2012 16:51:02 +0100
From:	Stephane Eranian <eranian@...gle.com>
To:	linux-kernel@...r.kernel.org
Cc:	peterz@...radead.org, acme@...hat.com, mingo@...e.hu,
	fweisbec@...il.com, dsahern@...il.com
Subject: [PATCH] perf record: fix buffer overrun bug in
 tracepoint_id_to_path()


This patch fixes a buffer overrun bug in tracepoint_id_to_path().
The bug manisfested itself as a memory error reported by perf record.
I ran into it with perf sched:

$ perf sched rec noploop 2
noploop for 2 seconds
[ perf record: Woken up 14 times to write data ]
[ perf record: Captured and wrote 42.701 MB perf.data (~1865622 samples) ]
  Fatal: No memory to alloc tracepoints list

It turned out that tracepoint_id_to_path() was reading the tracepoint id
using read() but the buffer was not large enough to include the \n terminator
for id with 4 digits or more.

The patch fixes the problem by extending the buffer to a more reasonable size
covering all possible id length include \n terminator. Note that atoll() stops
at the first non digit character, thus it is not necessary to clear the buffer
between each read.

Signed-off-by: Stephane Eranian <eranian@...gle.com>
---

diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
index b029296..8a3c8c0 100644
--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -165,7 +165,7 @@ struct tracepoint_path *tracepoint_id_to_path(u64 config)
 	struct tracepoint_path *path = NULL;
 	DIR *sys_dir, *evt_dir;
 	struct dirent *sys_next, *evt_next, sys_dirent, evt_dirent;
-	char id_buf[4];
+	char id_buf[24];
 	int fd;
 	u64 id;
 	char evt_path[MAXPATHLEN];
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ