lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190311202446.10210-3-andi@firstfloor.org>
Date:   Mon, 11 Mar 2019 13:24:38 -0700
From:   Andi Kleen <andi@...stfloor.org>
To:     acme@...nel.org
Cc:     jolsa@...nel.org, linux-perf-users@...r.kernel.org,
        linux-kernel@...r.kernel.org, Andi Kleen <ak@...ux.intel.com>
Subject: [PATCH v1 02/10] perf, tools, stat: Avoid memory overrun with -r

From: Andi Kleen <ak@...ux.intel.com>

When -r is used memory would get corrupted because the evsel->id array
would get overrun. evsel->ids is a running counter of the last id.
Normally this works fine, but with -r the same event is initialized
multiple times, but not this counter, so it would keep growing
beyond the array limit and corrupt random memory.

Always reinitialize ->ids, and also add an assert to catch
such overruns in the future.

This fixes a perf segfault when running it from toplev.

Before:

$ valgrind perf stat -r2 -e '{cycles,cycles,cycles,cycles}' true
==27012== Memcheck, a memory error detector
==27012== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==27012== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==27012== Command: perf stat -r2 -e {cycles,cycles,cycles,cycles} true
==27012==
==27012== Invalid write of size 8
==27012==    at 0x33090F: perf_evlist__id_add_fd (in /usr/bin/perf)
==27012==    by 0x33C99B: perf_evsel__store_ids (in /usr/bin/perf)
==27012==    by 0x2B7E1D: ??? (in /usr/bin/perf)
==27012==    by 0x2B97DE: cmd_stat (in /usr/bin/perf)
==27012==    by 0x31BFC0: ??? (in /usr/bin/perf)
==27012==    by 0x29C7A9: main (in /usr/bin/perf)
==27012==  Address 0x13182be8 is 0 bytes after a block of size 8 alloc'd
==27012==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
==27012==    by 0x33C921: perf_evsel__store_ids (in /usr/bin/perf)
==27012==    by 0x2B7E1D: ??? (in /usr/bin/perf)
==27012==    by 0x2B97DE: cmd_stat (in /usr/bin/perf)
==27012==    by 0x31BFC0: ??? (in /usr/bin/perf)
==27012==    by 0x29C7A9: main (in /usr/bin/perf)
==27012==
...

After:

$ valgrind ./perf stat -r2 -e '{cycles,cycles,cycles,cycles}' true
==27026== Memcheck, a memory error detector
==27026== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==27026== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==27026== Command: ./perf stat -r2 -e {cycles,cycles,cycles,cycles} true
==27026==

 Performance counter stats for 'true' (2 runs):

...

Signed-off-by: Andi Kleen <ak@...ux.intel.com>
---
 tools/perf/util/evlist.c | 1 +
 tools/perf/util/evsel.c  | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c
index ed20f4379956..4f02bccba204 100644
--- a/tools/perf/util/evlist.c
+++ b/tools/perf/util/evlist.c
@@ -529,6 +529,7 @@ void perf_evlist__id_add(struct perf_evlist *evlist, struct perf_evsel *evsel,
 			 int cpu, int thread, u64 id)
 {
 	perf_evlist__id_hash(evlist, evsel, cpu, thread, id);
+	assert(evsel->ids < evsel->sample_id->max_x * evsel->sample_id->max_y);
 	evsel->id[evsel->ids++] = id;
 }
 
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 3bbf73e979c0..686318f69b1d 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -3001,5 +3001,7 @@ int perf_evsel__store_ids(struct perf_evsel *evsel, struct perf_evlist *evlist)
 	if (perf_evsel__alloc_id(evsel, cpus->nr, threads->nr))
 		return -ENOMEM;
 
+	evsel->ids = 0;
+
 	return store_evsel_ids(evsel, evlist);
 }
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ