| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191023082912.GB22919@krava>
Date: Wed, 23 Oct 2019 10:29:12 +0200
From: Jiri Olsa <jolsa@...hat.com>
To: Ian Rogers <irogers@...gle.com>
Cc: He Kuang <hekuang@...wei.com>,
Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Namhyung Kim <namhyung@...nel.org>,
Andi Kleen <ak@...ux.intel.com>, linux-kernel@...r.kernel.org,
clang-built-linux@...glegroups.com,
Stephane Eranian <eranian@...gle.com>
Subject: Re: [PATCH] perf tools: avoid reading out of scope array
On Thu, Oct 17, 2019 at 10:05:31AM -0700, Ian Rogers wrote:
> Modify tracepoint name into 2 sys components and assemble at use. This
> avoids the sys_name array being out of scope at the point of use.
> Bug caught with LLVM's address sanitizer with fuzz generated input of
> ":cs\1" to parse_events.
>
> Signed-off-by: Ian Rogers <irogers@...gle.com>
> ---
> tools/perf/util/parse-events.y | 36 +++++++++++++++++++++++-----------
> 1 file changed, 25 insertions(+), 11 deletions(-)
>
> diff --git a/tools/perf/util/parse-events.y b/tools/perf/util/parse-events.y
> index 48126ae4cd13..28be39a703c9 100644
> --- a/tools/perf/util/parse-events.y
> +++ b/tools/perf/util/parse-events.y
> @@ -104,7 +104,8 @@ static void inc_group_count(struct list_head *list,
> struct list_head *head;
> struct parse_events_term *term;
> struct tracepoint_name {
> - char *sys;
> + char *sys1;
> + char *sys2;
> char *event;
> } tracepoint_name;
> struct parse_events_array array;
> @@ -425,9 +426,19 @@ tracepoint_name opt_event_config
> if (error)
> error->idx = @1.first_column;
>
> - if (parse_events_add_tracepoint(list, &parse_state->idx, $1.sys, $1.event,
> - error, $2))
> - return -1;
> + if ($1.sys2) {
> + char sys_name[128];
> + snprintf(&sys_name, sizeof(sys_name), "%s-%s",
> + $1.sys1, $1.sys2);
> + if (parse_events_add_tracepoint(list, &parse_state->idx,
> + sys_name, $1.event,
> + error, $2))
> + return -1;
> + } else
> + if (parse_events_add_tracepoint(list, &parse_state->idx,
> + $1.sys1, $1.event,
> + error, $2))
> + return -1;
nice catch, please enclose all multiline condition legs with {}
other than that
Acked-by: Jiri Olsa <jolsa@...nel.org>
thanks,
jirka
>
> $$ = list;
> }
> @@ -435,19 +446,22 @@ tracepoint_name opt_event_config
> tracepoint_name:
> PE_NAME '-' PE_NAME ':' PE_NAME
> {
> - char sys_name[128];
> - struct tracepoint_name tracepoint;
> -
> - snprintf(&sys_name, 128, "%s-%s", $1, $3);
> - tracepoint.sys = &sys_name;
> - tracepoint.event = $5;
> + struct tracepoint_name tracepoint = {
> + .sys1 = $1,
> + .sys2 = $3,
> + .event = $5,
> + };
>
> $$ = tracepoint;
> }
> |
> PE_NAME ':' PE_NAME
> {
> - struct tracepoint_name tracepoint = {$1, $3};
> + struct tracepoint_name tracepoint = {
> + .sys1 = $1,
> + .sys2 = NULL,
> + .event = $3,
> + };
>
> $$ = tracepoint;
> }
> --
> 2.23.0.700.g56cf767bdb-goog
>
Powered by blists - more mailing lists