lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.21.1907251423410.22624@macbook-air>
Date:   Thu, 25 Jul 2019 14:27:14 -0400 (EDT)
From:   Vince Weaver <vincent.weaver@...ne.edu>
To:     linux-kernel@...r.kernel.org
cc:     Arnaldo Carvalho de Melo <acme@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...hat.com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Jiri Olsa <jolsa@...hat.com>,
        Namhyung Kim <namhyung@...nel.org>
Subject: [patch] perf report segfault with 0-sized strings

Hello,

the perf_data_fuzzer found an issue when strings have size 0.
malloc() in do_read_string() is happy to allocate a string of 
size 0 but when code (in this case the pmu parser) tries to work with 
those it will segfault.

Signed-off-by: Vince Weaver <vincent.weaver@...ne.edu>

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index c24db7f4909c..641129efa987 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -251,6 +252,9 @@ static char *do_read_string(struct feat_fd *ff)
 	if (do_read_u32(ff, &len))
 		return NULL;
 
+	if (len==0)
+		return NULL;
+
 	buf = malloc(len);
 	if (!buf)
 		return NULL;
@@ -1781,6 +1785,10 @@ static void print_pmu_mappings(struct feat_fd *ff, FILE *fp)
 	str = ff->ph->env.pmu_mappings;
 
 	while (pmu_num) {
+
+		if (str==NULL)
+			goto error;
+
 		type = strtoul(str, &tmp, 0);
 		if (*tmp != ':')
 			goto error;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ