lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 25 Oct 2017 14:50:33 +0530
From:   "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>
To:     Jiri Olsa <jolsa@...hat.com>
Cc:     Ravi Bangoria <ravi.bangoria@...ux.vnet.ibm.com>, acme@...nel.org,
        linux-kernel@...r.kernel.org, peterz@...radead.org,
        mingo@...hat.com, alexander.shishkin@...ux.intel.com,
        namhyung@...nel.org, treeze.taeung@...il.com,
        yao.jin@...ux.intel.com, kim.phillips@....com
Subject: Re: [RFC] perf tool: Fix memory corruption because of zero length
 symbols

On 2017/10/25 08:28AM, Jiri Olsa wrote:
> On Tue, Oct 24, 2017 at 07:50:06PM +0530, Ravi Bangoria wrote:
> > Perf top is often crashing at very random locations on powerpc.
> > After investigating, I found the crash only happens when sample
> > is of zero length symbol. Powerpc kernel has many such symbols
> > which does not contain length details in vmlinux binary and thus
> > start and end addresses of such symbols are same.
> > 
> > Structure
> > 
> >   struct sym_hist {
> >         u64                   nr_samples;
> >         u64                   period;
> >         struct sym_hist_entry addr[0];
> >   };
> > 
> > has last member 'addr[]' of size zero. 'addr[]' is an array of
> > addresses that belongs to one symbol (function). If function
> > consist of 100 instructions, 'addr' points to an array of 100
> > 'struct sym_hist_entry' elements. For zero length symbol, it
> > points to the *empty* array, i.e. no members in the array and
> > thus offset 0 is also invalid for such array.
> > 
> >   static int __symbol__inc_addr_samples(...)
> >   {
> >         ...
> >         offset = addr - sym->start;
> >         h = annotation__histogram(notes, evidx);
> >         h->nr_samples++;
> >         h->addr[offset].nr_samples++;
> >         h->period += sample->period;
> >         h->addr[offset].period += sample->period;
> >         ...
> >   }
> > 
> > Here, when 'addr' is same as 'sym->start', 'offset' becomes 0,
> > which is valid for normal symbols but *invalid* for zero length
> > symbols and thus updating h->addr[offset] causes memory corruption.
> 
> I think this will work, however what's the idea behind
> zero sized symbols? I mean when we get samples for it,
> what are they for.. is it like alias, whats the purpose?

This was discussed here:
https://lkml.org/lkml/2016/10/10/148

We aren't setting the size for our assembly routines.

- Naveen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ