lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170102193904.GC27864@kernel.org>
Date:   Mon, 2 Jan 2017 16:39:04 -0300
From:   Arnaldo Carvalho de Melo <acme@...nel.org>
To:     Krister Johansen <kjlx@...pleofstupid.com>
Cc:     Namhyung Kim <namhyung@...nel.org>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Frédéric Weisbecker <fweisbec@...il.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 perf/core] perf script: fix a use after free crash.

Em Mon, Jan 02, 2017 at 02:36:57PM -0300, Arnaldo Carvalho de Melo escreveu:
> Em Mon, Jan 02, 2017 at 02:35:30PM -0300, Arnaldo Carvalho de Melo escreveu:
> > Em Mon, Jan 02, 2017 at 12:15:14PM -0300, Arnaldo Carvalho de Melo escreveu:
>  {
>         zfree(&iter->priv);
>         iter->he = NULL;
> +       map__zput(al->map);

What this pairs to? I was expecting that since this is called via:

   hist_entry_iter__add()
   {
           <SNIP>
           err2 = iter->ops->finish_entry(iter, al);
   }

Then it would have to match something done earlier in
hist_entry_iter__add(), most likely by some iter->ops->() method, but I
couldn'd find anything to that extent, can you clarify?

- Arnaldo
  
>         return 0;
>  }
>  
> > perf: util/map.c:246: map__exit: Assertion `!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed.
> > 
> >                                                                                                                                Thread 1 "perf" received signal SIGABRT, Aborted.
> >                   0x00007ffff522691f in raise () from /lib64/libc.so.6
> > (gdb) bt
> > #0  0x00007ffff522691f in raise () from /lib64/libc.so.6
> > #1  0x00007ffff522851a in abort () from /lib64/libc.so.6
> > #2  0x00007ffff521eda7 in __assert_fail_base () from /lib64/libc.so.6
> > #3  0x00007ffff521ee52 in __assert_fail () from /lib64/libc.so.6
> > #4  0x0000000000504e57 in map__exit (map=0x2393790) at util/map.c:246
> > #5  0x0000000000504ea5 in map__delete (map=0x2393790) at util/map.c:252
> > #6  0x0000000000504f0a in map__put (map=0x2393790) at util/map.c:259
> > #7  0x000000000052fa01 in __map__zput (map=0x7fffffff8230) at util/map.h:161
> > #8  0x000000000053295b in iter_finish_cumulative_entry (iter=0x7fffffff8260, al=0x7fffffff8220) at util/hist.c:983
> > #9  0x0000000000532b53 in hist_entry_iter__add (iter=0x7fffffff8260, al=0x7fffffff8220, max_stack_depth=127, arg=0x7fffffffa7b0) at util/hist.c:1059
> > #10 0x000000000044f5cf in perf_event__process_sample (tool=0x7fffffffa7b0, event=0x7ffff7e24578, evsel=0x21515d0, sample=0x7fffffff8410, machine=0x21b2bf8)
> >     at builtin-top.c:774
> > #11 0x000000000044f8ee in perf_top__mmap_read_idx (top=0x7fffffffa7b0, idx=2) at builtin-top.c:840
> > #12 0x000000000044fa0d in perf_top__mmap_read (top=0x7fffffffa7b0) at builtin-top.c:857
> > #13 0x0000000000450080 in __cmd_top (top=0x7fffffffa7b0) at builtin-top.c:1002
> > #14 0x00000000004514e0 in cmd_top (argc=0, argv=0x7fffffffe130, prefix=0x0) at builtin-top.c:1330
> > #15 0x00000000004b5af5 in run_builtin (p=0xa0baf8 <commands+312>, argc=6, argv=0x7fffffffe130) at perf.c:358
> > #16 0x00000000004b5d62 in handle_internal_command (argc=6, argv=0x7fffffffe130) at perf.c:420
> > #17 0x00000000004b5ea7 in run_argv (argcp=0x7fffffffdf8c, argv=0x7fffffffdf80) at perf.c:466
> > #18 0x00000000004b6290 in main (argc=6, argv=0x7fffffffe130) at perf.c:610
> > (gdb) fr 4
> > #4  0x0000000000504e57 in map__exit (map=0x2393790) at util/map.c:246
> > 246		BUG_ON(!RB_EMPTY_NODE(&map->rb_node));
> > (gdb) p map
> > $1 = (struct map *) 0x2393790
> > (gdb) p *map
> > $2 = {{rb_node = {__rb_parent_color = 37304353, rb_right = 0x0, rb_left = 0x0}, node = {next = 0x2393821, prev = 0x0}}, start = 140434683187200, 
> >   end = 140434690723840, type = 0 '\000', erange_warned = false, priv = 0, prot = 5, flags = 2, pgoff = 0, reloc = 0, maj = 253, min = 0, ino = 132875, 
> >   ino_generation = 3472328296227680304, map_ip = 0x504125 <map__map_ip>, unmap_ip = 0x504174 <map__unmap_ip>, dso = 0x22b3890, groups = 0x2385290, refcnt = {
> >     counter = 0}}
> > (gdb)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ