lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <571777C6.9040809@intel.com>
Date:	Wed, 20 Apr 2016 15:36:22 +0300
From:	Adrian Hunter <adrian.hunter@...el.com>
To:	Arnaldo Carvalho de Melo <acme@...nel.org>
Cc:	Andrey Ryabinin <aryabinin@...tuozzo.com>,
	Ingo Molnar <mingo@...hat.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] perf buildid: fix off-by-one in write_buildid()

On 19/04/16 16:40, Arnaldo Carvalho de Melo wrote:
> Em Tue, Apr 19, 2016 at 11:17:27AM +0300, Andrey Ryabinin escreveu:
>> write_buildid() increments 'name_len' with intention to take into account
>> trailing zero byte. However, 'name_len' was already incremented in
>> machine__write_buildid_table() before.
>> So this leads to out-of-bounds read in do_write():
> 
> Adrian, can you please take a look at the db-export improvements made in
> this series? It'd be good to have your ack for those,

You mean the patches from Chris Phlipot - yes I'll look at them.

> 
> thanks!
> 
> - Arnaldo
>  
>> $ ./perf record sleep 0
>> [ perf record: Woken up 1 times to write data ]
>> =================================================================
>> ==15899==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000099fc92 at pc 0x7f1aa9c7eab5 bp 0x7fff940f84d0 sp 0x7fff940f7c78
>> READ of size 19 at 0x00000099fc92 thread T0
>>     #0 0x7f1aa9c7eab4  (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/libasan.so.2+0x44ab4)
>>     #1 0x649c5b in do_write util/header.c:67
>>     #2 0x649c5b in write_padded util/header.c:82
>>     #3 0x57e8bc in write_buildid util/build-id.c:239
>>     #4 0x57e8bc in machine__write_buildid_table util/build-id.c:278
>> ...
>>
>> 0x00000099fc92 is located 0 bytes to the right of global variable '*.LC99' defined in 'util/symbol.c' (0x99fc80) of size 18
>>   '*.LC99' is ascii string '[kernel.kallsyms]'
>> ...
>>
>> Shadow bytes around the buggy address:
>>   0x00008012bf80: f9 f9 f9 f9 00 00 00 00 00 00 03 f9 f9 f9 f9 f9
>> =>0x00008012bf90: 00 00[02]f9 f9 f9 f9 f9 00 00 00 00 00 05 f9 f9
>>   0x00008012bfa0: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
>>
>> Signed-off-by: Andrey Ryabinin <aryabinin@...tuozzo.com>
>> ---
>>  tools/perf/util/build-id.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
>> index 0573c2e..a1ff68b 100644
>> --- a/tools/perf/util/build-id.c
>> +++ b/tools/perf/util/build-id.c
>> @@ -235,7 +235,7 @@ static int write_buildid(const char *name, size_t name_len, u8 *build_id,
>>  	if (err < 0)
>>  		return err;
>>  
>> -	return write_padded(fd, name, name_len + 1, len);
>> +	return write_padded(fd, name, name_len, len);
>>  }
>>  
>>  static int machine__write_buildid_table(struct machine *machine, int fd)
>> -- 
>> 2.7.3
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ