lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 9 Aug 2018 10:07:22 +0200
From:   Jiri Olsa <jolsa@...hat.com>
To:     Stephane Eranian <eranian@...gle.com>
Cc:     linux-kernel@...r.kernel.org, acme@...hat.com,
        peterz@...radead.org, mingo@...e.hu
Subject: Re: [PATCH v2] perf ordered_events: fix crash in free_dup_event()

On Wed, Aug 08, 2018 at 03:33:20PM -0700, Stephane Eranian wrote:
> This patch fixes a bug in ordered_event.c:alloc_event().
> An ordered_event struct was not initialized properly potentially
> causing crashes later on in free_dup_event() depending on the
> content of the memory. If it was NULL, then it would work fine,
> otherwise, it could cause crashes such as:

I'm now little puzzled what do we use this first event for..
I can't see anything special about it, other than it's added
on the list uninitialized ;-)

it seems to work properly when we ditch it.. might be some
prehistoric leftover or I'm terribly missing something

thanks,
jirka


---
diff --cc tools/perf/util/ordered-events.c
index bad9e0296e9a,0e837b0b8582..000000000000
--- a/tools/perf/util/ordered-events.c
+++ b/tools/perf/util/ordered-events.c
@@@ -119,12 -119,8 +119,9 @@@ static struct ordered_event *alloc_even
  		pr("alloc size %" PRIu64 "B (+%zu), max %" PRIu64 "B\n",
  		   oe->cur_alloc_size, size, oe->max_alloc_size);
  
 +		oe->cur_alloc_size += size;
- 		list_add(&oe->buffer->list, &oe->to_free);
- 
- 		/* First entry is abused to maintain the to_free list. */
- 		oe->buffer_idx = 2;
- 		new = oe->buffer + 1;
+ 		oe->buffer_idx = 1;
+ 		new = oe->buffer;
  	} else {
  		pr("allocation limit reached %" PRIu64 "B\n", oe->max_alloc_size);
  	}

Powered by blists - more mailing lists