lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 11 Jan 2013 19:00:43 -0500
From:	Frederik Deweerdt <frederik.deweerdt@...og.eu>
To:	namhyung@...nel.org, acme@...hat.com
Cc:	linux-kernel@...r.kernel.org
Subject: [patch] perf: tui: Fix segfault when drawing out-of-bounds jumps

Hi,

When perf.data contains out-of-symbol jumps,
annotate_browser__mark_jump_targets() correctly avoids marking
out-of-symbol jump targets. However, when moving the cursor on one of
said jumps, annotate_browser__draw_current_jump() will end up with a
bogus 'target' pointer, causing a bogus memory access when dereferencing
'bcursor' or 'btarget'

The following patch performs the same check as mark_jump_targets()
in order to avoid drawing the bogus jump.

Regards,
Frederik

Signed-off-by: Frederik Deweerdt <frederik.deweerdt@...og.eu>

diff --git a/tools/perf/ui/browsers/annotate.c b/tools/perf/ui/browsers/annotate.c
index 5dab3ca..8b84246 100644
--- a/tools/perf/ui/browsers/annotate.c
+++ b/tools/perf/ui/browsers/annotate.c
@@ -195,8 +195,9 @@ static void annotate_browser__draw_current_jump(struct ui_browser *browser)
 	if (strstr(sym->name, "@plt"))
 		return;
 
-	if (!cursor || !cursor->ins || !ins__is_jump(cursor->ins) ||
-	    !disasm_line__has_offset(cursor))
+	if (!cursor || !cursor->ins || !ins__is_jump(cursor->ins)
+	    || !disasm_line__has_offset(cursor)
+	    || cursor->ops.target.offset >= symbol__size(sym))
 		return;
 
 	target = ab->offsets[cursor->ops.target.offset];
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ