lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Fri,  8 Feb 2013 13:01:56 -0700
From:	Tim Gardner <tim.gardner@...onical.com>
To:	linux-kernel@...r.kernel.org
Cc:	Tim Gardner <tim.gardner@...onical.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Paul Mackerras <paulus@...ba.org>,
	Ingo Molnar <mingo@...hat.com>,
	Arnaldo Carvalho de Melo <acme@...stprotocols.net>,
	Thomas Gleixner <tglx@...utronix.de>,
	"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org
Subject: [PATCH linux-next] perf/x86: x86_schedule_events(): avoid 512 byte stack variable

x86_schedule_events() creates a 512 byte automatic variable
when compiled for 64 bit. Dynamically allocate this array
to avoid possible stack corruption. Smatch analysis:

arch/x86/kernel/cpu/perf_event.c:727 x86_schedule_events() warn:
 'constraints' puts 512 bytes on stack

Cc: Peter Zijlstra <a.p.zijlstra@...llo.nl>
Cc: Paul Mackerras <paulus@...ba.org>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: Arnaldo Carvalho de Melo <acme@...stprotocols.net>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: "H. Peter Anvin" <hpa@...or.com>
Cc: x86@...nel.org
Cc: <stable@...r.kernel.org> # 2.6.34.y and higher
Signed-off-by: Tim Gardner <tim.gardner@...onical.com>
---

This large stack variable was introduced with 63b146490befc027a7e0923e333269e68b20d380
in 2.6.34. Since it has been around for awhile I don't know if its really a
problem on this code path, but it does consume a good size chunk of the kernel stack.

Applies cleanly to 3.3.y and higher. Needs backport for older kernels.

 arch/x86/kernel/cpu/perf_event.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index bf0f01a..1f2005e 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -718,11 +718,15 @@ int perf_assign_events(struct event_constraint **constraints, int n,
 
 int x86_schedule_events(struct cpu_hw_events *cpuc, int n, int *assign)
 {
-	struct event_constraint *c, *constraints[X86_PMC_IDX_MAX];
+	struct event_constraint *c, **constraints;
 	unsigned long used_mask[BITS_TO_LONGS(X86_PMC_IDX_MAX)];
 	int i, wmin, wmax, num = 0;
 	struct hw_perf_event *hwc;
 
+	constraints = kmalloc(X86_PMC_IDX_MAX*sizeof(*constraints), GFP_ATOMIC);
+	if (!constraints)
+		return -ENOMEM;
+
 	bitmap_zero(used_mask, X86_PMC_IDX_MAX);
 
 	for (i = 0, wmin = X86_PMC_IDX_MAX, wmax = 0; i < n; i++) {
@@ -770,6 +774,9 @@ int x86_schedule_events(struct cpu_hw_events *cpuc, int n, int *assign)
 				x86_pmu.put_event_constraints(cpuc, cpuc->event_list[i]);
 		}
 	}
+
+	kfree(constraints);
+
 	return num ? -EINVAL : 0;
 }
 
-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists