lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 25 Oct 2017 11:49:29 -0300
From:   Arnaldo Carvalho de Melo <acme@...nel.org>
To:     "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>
Cc:     Jiri Olsa <jolsa@...hat.com>,
        Ravi Bangoria <ravi.bangoria@...ux.vnet.ibm.com>,
        linux-kernel@...r.kernel.org, peterz@...radead.org,
        mingo@...hat.com, alexander.shishkin@...ux.intel.com,
        namhyung@...nel.org, treeze.taeung@...il.com,
        yao.jin@...ux.intel.com, kim.phillips@....com
Subject: Re: [RFC] perf tool: Fix memory corruption because of zero length
 symbols

Em Wed, Oct 25, 2017 at 02:50:33PM +0530, Naveen N. Rao escreveu:
> On 2017/10/25 08:28AM, Jiri Olsa wrote:
> > On Tue, Oct 24, 2017 at 07:50:06PM +0530, Ravi Bangoria wrote:
> > > Perf top is often crashing at very random locations on powerpc.
> > > After investigating, I found the crash only happens when sample
> > > is of zero length symbol. Powerpc kernel has many such symbols
> > > which does not contain length details in vmlinux binary and thus
> > > start and end addresses of such symbols are same.
> > > 
> > > Structure
> > > 
> > >   struct sym_hist {
> > >         u64                   nr_samples;
> > >         u64                   period;
> > >         struct sym_hist_entry addr[0];
> > >   };
> > > 
> > > has last member 'addr[]' of size zero. 'addr[]' is an array of
> > > addresses that belongs to one symbol (function). If function
> > > consist of 100 instructions, 'addr' points to an array of 100
> > > 'struct sym_hist_entry' elements. For zero length symbol, it
> > > points to the *empty* array, i.e. no members in the array and
> > > thus offset 0 is also invalid for such array.
> > > 
> > >   static int __symbol__inc_addr_samples(...)
> > >   {
> > >         ...
> > >         offset = addr - sym->start;
> > >         h = annotation__histogram(notes, evidx);
> > >         h->nr_samples++;
> > >         h->addr[offset].nr_samples++;
> > >         h->period += sample->period;
> > >         h->addr[offset].period += sample->period;
> > >         ...
> > >   }
> > > 
> > > Here, when 'addr' is same as 'sym->start', 'offset' becomes 0,
> > > which is valid for normal symbols but *invalid* for zero length
> > > symbols and thus updating h->addr[offset] causes memory corruption.
> > 
> > I think this will work, however what's the idea behind
> > zero sized symbols? I mean when we get samples for it,
> > what are they for.. is it like alias, whats the purpose?
> 
> This was discussed here:
> https://lkml.org/lkml/2016/10/10/148
> 
> We aren't setting the size for our assembly routines.

Applying, after adding this as a Link: tag and Namhyung's and Jiri's
acked-by, will try to have it in perf/urgent soon, i.e. for 4.14, if
still possible.

- Arnaldo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ