lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 6 Dec 2017 14:40:53 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     Namhyung Kim <namhyung@...nel.org>
Cc:     Arnaldo Carvalho de Melo <acme@...nel.org>,
        Fengguang Wu <fengguang.wu@...el.com>,
        linux-kernel@...r.kernel.org, Wang Nan <wangnan0@...wei.com>,
        Ingo Molnar <mingo@...hat.com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Jiri Olsa <jolsa@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Will Deacon <will.deacon@....com>, lkp@...org,
        Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com,
        kernel-team@....com
Subject: Re: BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530

On Tue, Dec 05, 2017 at 05:11:56PM +0900, Namhyung Kim wrote:
> From c12126c4ff9835f0899619db3ee7b4a3151ff2bb Mon Sep 17 00:00:00 2001
> From: Namhyung Kim <namhyung@...nel.org>
> Date: Tue, 5 Dec 2017 16:54:50 +0900
> Subject: [PATCH] perf/core: Fix overflow on perf_callchain_entry
> 
> The commit 97c79a38cd45 add a check whether per-event max stack is
> greater than the global max.  But it missed to do it for the first
> event.  So if the event had a stack depth greater than the global max,
> it could overflow the callchain entry list.
> 
> Reported-by: Fengguang Wu <fengguang.wu@...el.com>
> Fixes: 97c79a38cd45 ("perf core: Per event callchain limit")
> Signed-off-by: Namhyung Kim <namhyung@...nel.org>

Indeed, nice catch.

Acked-by: Peter Zijlstra (Intel) <peterz@...radead.org>

Ingo, can you make this happen in perf/urgent ?

> ---
>  kernel/events/callchain.c | 21 ++++++++++++---------
>  1 file changed, 12 insertions(+), 9 deletions(-)
> 
> diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c
> index 1b2be63c8528..e449e23802eb 100644
> --- a/kernel/events/callchain.c
> +++ b/kernel/events/callchain.c
> @@ -119,19 +119,22 @@ int get_callchain_buffers(int event_max_stack)
>  		goto exit;
>  	}
>  
> +	/*
> +	 * If requesting per event more than the global cap,
> +	 * return a different error to help userspace figure this out.
> +	 *
> +	 * And also do it here so that we have &callchain_mutex held.
> +	 */
> +	if (event_max_stack > sysctl_perf_event_max_stack) {
> +		err = -EOVERFLOW;
> +		goto exit;
> +	}
> +
>  	if (count > 1) {
>  		/* If the allocation failed, give up */
>  		if (!callchain_cpus_entries)
>  			err = -ENOMEM;
> -		/*
> -		 * If requesting per event more than the global cap,
> -		 * return a different error to help userspace figure
> -		 * this out.
> -		 *
> -		 * And also do it here so that we have &callchain_mutex held.
> -		 */
> -		if (event_max_stack > sysctl_perf_event_max_stack)
> -			err = -EOVERFLOW;
> +
>  		goto exit;
>  	}
>  
> -- 
> 2.15.0
> 

Powered by blists - more mailing lists