lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48b757ca-8861-b84d-6d8c-314be93ccdc7@mailbox.org>
Date:   Thu, 23 Jan 2020 00:53:40 +0100
From:   Bernhard Übelacker <bernhardu@...lbox.org>
To:     linux-kernel@...r.kernel.org
Cc:     Peter Zijlstra <peterz@...radead.org>
Subject: linux-perf-5.2: perf report: segmentation fault accessing
 browser->he_selection

Hello,
in Debian bug [943398] another user reported a crash of the
perf application. I tried triaging the issue.

I could reproduce the issue using linux-perf-5.2
and it is also visible in linux-perf-5.4 5.4.8-1

With following commands:

   perf record ls
   perf report perf.data
   # Press enter

The crash happens because in line 3172
function hist_browser__selected_entry returns
browser->he_selection, which is at this time a
null pointer.
This null pointer gets dereferenced to
access the res_samples member.

Other occourences of browser->he_selection being null
seem to get fixed in [1], but this is
already contained in 5.4 while a crash still happens.

It got reported to be visible also in 5.5~rc5.

Kind regards,
Bernhard



Program received signal SIGSEGV, Segmentation fault.
(rr) bt
#0  perf_evsel__hists_browse (evsel=0x55e794ebcb40, nr_events=nr_events@...ry=1, helpline=helpline@...ry=0x55e794f7c040 "Tip: System-wide collection from all CPUs: perf record -a", left_exits=left_exits@...ry=false, hbt=hbt@...ry=0x0, min_pcnt=<optimized out>, env=env@...ry=0x55e794eb54f0, warn_lost_event=true, annotation_opts=0x7ffcc3063dc8) at ui/browsers/hists.c:3170
#1  0x000055e79385cce9 in perf_evlist__tui_browse_hists (evlist=evlist@...ry=0x55e794ebc0c0, help=help@...ry=0x55e794f7c040 "Tip: System-wide collection from all CPUs: perf record -a", hbt=hbt@...ry=0x0, min_pcnt=<optimized out>, env=env@...ry=0x55e794eb54f0, warn_lost_event=warn_lost_event@...ry=true, annotation_opts=annotation_opts@...ry=0x7ffcc3063dc8) at ui/browsers/hists.c:3422
#2  0x000055e7936f1ece in report__browse_hists (rep=0x7ffcc3063c30) at builtin-report.c:585
#3  __cmd_report (rep=0x7ffcc3063c30) at builtin-report.c:930
#4  cmd_report (argc=<optimized out>, argv=<optimized out>) at builtin-report.c:1475
#5  0x000055e79375b823 in run_builtin (p=0x55e793a9ef90 <commands+240>, argc=2, argv=0x7ffcc30661f0) at perf.c:312
#6  0x000055e7936d6a2c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:364
#7  run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:408
#8  main (argc=2, argv=0x7ffcc30661f0) at perf.c:538


https://sources.debian.org/src/linux/5.4.8-1/tools/perf/ui/browsers/hists.c/#L2217
    2217 static struct hist_entry *hist_browser__selected_entry(struct hist_browser *browser)
    2218 {
    2219 	return browser->he_selection;
    2220 }

https://sources.debian.org/src/linux/5.4.8-1/tools/perf/ui/browsers/hists.c/#L3170
    3170 		nr_options += add_res_sample_opt(browser, &actions[nr_options],
    3171 						 &options[nr_options],
    3172 				 hist_browser__selected_entry(browser)->res_samples,
    3173 				 evsel, A_NORMAL);



[943398] https://bugs.debian.org/943398
[1]      https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/tools/perf/ui/browsers/hists.c?id=ceb75476db1617a88cc29b09839acacb69aa076e

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ