| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.21.1907231639120.14532@macbook-air>
Date: Tue, 23 Jul 2019 16:42:30 -0400 (EDT)
From: Vince Weaver <vincent.weaver@...ne.edu>
To: linux-kernel@...r.kernel.org
cc: Arnaldo Carvalho de Melo <acme@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...hat.com>,
Namhyung Kim <namhyung@...nel.org>
Subject: [patch] perf tool buffer overflow in perf_header__read_build_ids
Hello
my perf_tool_fuzzer has found another issue, this one a buffer overflow
in perf_header__read_build_ids. The build id filename is read in with a
filename length read from the perf.data file, but this can be longer than
PATH_MAX which will smash the stack.
This might not be the right fix, not sure if filename should be NUL
terminated or not.
Signed-off-by: Vince Weaver <vincent.weaver@...ne.edu>
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index c24db7f4909c..9a893a26e678 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -2001,6 +2001,9 @@ static int perf_header__read_build_ids(struct perf_header *header,
perf_event_header__bswap(&bev.header);
len = bev.header.size - sizeof(bev);
+
+ if (len>PATH_MAX) len=PATH_MAX;
+
if (readn(input, filename, len) != len)
goto out;
/*
Powered by blists - more mailing lists