lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 20 Mar 2015 11:37:25 +0100
From:	Milos Vyletel <milos@...hat.com>
To:	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Paul Mackerras <paulus@...ba.org>,
	Ingo Molnar <mingo@...hat.com>,
	Arnaldo Carvalho de Melo <acme@...nel.org>,
	Namhyung Kim <namhyung@...nel.org>,
	Jiri Olsa <jolsa@...nel.org>,
	Stephane Eranian <eranian@...gle.com>,
	Milos Vyletel <milos@...hat.com>,
	linux-kernel@...r.kernel.org (open list:PERFORMANCE EVENT...)
Subject: [PATCH] perf: fix race in build_id_cache__add_s()

int build_id_cache__add_s(const char *sbuild_id, const char *debugdir,
                          const char *name, bool is_kallsyms, bool is_vdso)
{
...
        if (access(filename, F_OK)) {
               ^--------------------------------------------------------- [1]
                if (is_kallsyms) {
                         if (copyfile("/proc/kallsyms", filename))
                                goto out_free;
                } else if (link(realname, filename) && copyfile(name, filename))
                             ^-----------------------------^------------- [2]
                                                            \------------ [3]
                        goto out_free;
        }
...

when multiple instances of perf record get to [1] at more or less same time and
run access() one or more may get failure because the file does not exist yet
(since the first instance did not have chance to link it yet). at this point the
race moves to link() at [2] where first thread to get there links file and goes
on but second one gets -EEXIST so it runs copyfile [3] which truncates the file.

recreator:
rm -rf /root/.debug
for cpu in $(awk '/processor/ {print $3}' /proc/cpuinfo); do
	perf record -a -v -T -F 1000 -C $cpu \
		-o perf-${cpu}.data sleep 5 2> /dev/null &
done
wait

and simply search for empty files by
find /lib/modules/`uname -r`/kernel/* -size 0

Signed-off-by: Milos Vyletel <milos@...hat.com>
---
 tools/perf/util/build-id.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
index 0c72680..a9db5a1 100644
--- a/tools/perf/util/build-id.c
+++ b/tools/perf/util/build-id.c
@@ -293,7 +293,8 @@ int build_id_cache__add_s(const char *sbuild_id, const char *debugdir,
 		if (is_kallsyms) {
 			 if (copyfile("/proc/kallsyms", filename))
 				goto out_free;
-		} else if (link(realname, filename) && copyfile(name, filename))
+		} else if (link(realname, filename) && errno != EEXIST &&
+				copyfile(name, filename))
 			goto out_free;
 	}
 
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ