lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 15 Nov 2016 13:40:10 -0500
From:   kan.liang@...el.com
To:     peterz@...radead.org
Cc:     mingo@...hat.com, acme@...nel.org, davej@...emonkey.org.uk,
        dvyukov@...gle.com, eranian@...il.com,
        linux-kernel@...r.kernel.org, Kan Liang <kan.liang@...el.com>
Subject: [PATCH] perf/x86/uncore: remove event_list for snb client uncore IMC

From: Kan Liang <kan.liang@...el.com>

A BUG was found by perf_fuzzer after enabled KASAN.
[  205.748005] BUG: KASAN: slab-out-of-bounds in
snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
[  205.758324] Read of size 8 by task perf_fuzzer/6618
[  205.763589] CPU: 0 PID: 6618 Comm: perf_fuzzer Not tainted 4.9.0-rc5
 #4
[  205.770721] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS
FBKT72AUS 01/26/2014
[  205.778689]  ffff8800c3c479b8 ffffffff816bb796 ffff88011ec00600
ffff8800caa43580
[  205.786759]  ffff8800c3c479e0 ffffffff812fb961 ffff8800c3c47a78
ffff8800caa43580
[  205.794850]  ffff8800caa43580 ffff8800c3c47a68 ffffffff812fbbd8
ffff8800c3c47a28
[  205.802911] Call Trace:
[  205.805559]  [<ffffffff816bb796>] dump_stack+0x63/0x8d
[  205.811135]  [<ffffffff812fb961>] kasan_object_err+0x21/0x70
[  205.817267]  [<ffffffff812fbbd8>] kasan_report_error+0x1d8/0x4c0
[  205.823752]  [<ffffffff81133275>] ? __lock_is_held+0x75/0xc0
[  205.829868]  [<ffffffff81025b12>] ?
snb_uncore_imc_read_counter+0x42/0x50
[  205.837198]  [<ffffffff810222e2>] ?
uncore_perf_event_update+0xe2/0x160
[  205.844337]  [<ffffffff812fc319>] kasan_report+0x39/0x40
[  205.850085]  [<ffffffff81025e3c>] ?
snb_uncore_imc_event_del+0x6c/0xa0

It's caused by accessing box->event_list.

For client IMC, there is no generic counters. It defines its own fixed
free running counters. So event_list and n_events are unused. They can
be removed safely.

Reported-by: Vince Weaver <vincent.weaver@...ne.edu>
Tested-by: Vince Weaver <vincent.weaver@...ne.edu>
Signed-off-by: Kan Liang <kan.liang@...el.com>
---
 arch/x86/events/intel/uncore_snb.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index 81195cc..a3dcc12 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct perf_event *event, int flags)
 
 	snb_uncore_imc_event_start(event, 0);
 
-	box->n_events++;
-
 	return 0;
 }
 
 static void snb_uncore_imc_event_del(struct perf_event *event, int flags)
 {
-	struct intel_uncore_box *box = uncore_event_to_box(event);
-	int i;
-
 	snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
-
-	for (i = 0; i < box->n_events; i++) {
-		if (event == box->event_list[i]) {
-			--box->n_events;
-			break;
-		}
-	}
 }
 
 int snb_pci2phy_map_init(int devid)
-- 
2.5.5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ