lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <37D7C6CF3E00A74B8858931C1DB2F07750CA04CC@SHSMSX103.ccr.corp.intel.com>
Date:   Wed, 16 Nov 2016 14:32:35 +0000
From:   "Liang, Kan" <kan.liang@...el.com>
To:     Ingo Molnar <mingo@...nel.org>
CC:     "peterz@...radead.org" <peterz@...radead.org>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "acme@...nel.org" <acme@...nel.org>,
        "davej@...emonkey.org.uk" <davej@...emonkey.org.uk>,
        "dvyukov@...gle.com" <dvyukov@...gle.com>,
        "eranian@...il.com" <eranian@...il.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Vince Weaver <vincent.weaver@...ne.edu>,
        Stephane Eranian <eranian@...gle.com>,
        Jiri Olsa <jolsa@...hat.com>
Subject: RE: [PATCH] perf/x86/uncore: remove event_list for snb client
 uncore IMC




> 
> * kan.liang@...el.com <kan.liang@...el.com> wrote:
> 
> > From: Kan Liang <kan.liang@...el.com>
> >
> > A BUG was found by perf_fuzzer after enabled KASAN.
> > [  205.748005] BUG: KASAN: slab-out-of-bounds in
> > snb_uncore_imc_event_del+0x6c/0xa0 at addr ffff8800caa43768
> 
> > Reported-by: Vince Weaver <vincent.weaver@...ne.edu>
> > Tested-by: Vince Weaver <vincent.weaver@...ne.edu>
> > Signed-off-by: Kan Liang <kan.liang@...el.com>
> > ---
> >  arch/x86/events/intel/uncore_snb.c | 12 ------------
> >  1 file changed, 12 deletions(-)
> >
> > diff --git a/arch/x86/events/intel/uncore_snb.c
> > b/arch/x86/events/intel/uncore_snb.c
> > index 81195cc..a3dcc12 100644
> > --- a/arch/x86/events/intel/uncore_snb.c
> > +++ b/arch/x86/events/intel/uncore_snb.c
> > @@ -490,24 +490,12 @@ static int snb_uncore_imc_event_add(struct
> > perf_event *event, int flags)
> >
> >  	snb_uncore_imc_event_start(event, 0);
> >
> > -	box->n_events++;
> > -
> >  	return 0;
> >  }
> >
> >  static void snb_uncore_imc_event_del(struct perf_event *event, int
> > flags)  {
> > -	struct intel_uncore_box *box = uncore_event_to_box(event);
> > -	int i;
> > -
> >  	snb_uncore_imc_event_stop(event, PERF_EF_UPDATE);
> > -
> > -	for (i = 0; i < box->n_events; i++) {
> > -		if (event == box->event_list[i]) {
> > -			--box->n_events;
> > -			break;
> > -		}
> > -	}
> 
> I'll apply this fix - but could we please also make sure box->event_list[]
> _always_ get initialized to a sane state?
> 

box is allocated by kzalloc_node. It should be always initialized to a
sane state.

But the previous code only update n_events, and forget to update
event_list in event add. That triggers the bug in event del.

Thanks,
Kan

> If it had a proper zero initial value in box->n_events the bug would not
> have triggered. So struct intel_uncore_box initialization appears to be
> sloppy, and that should be looked at as well...
> 
> Thanks,
> 
> 	Ingo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ