| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Jan 2020 00:53:40 +0100
From: Bernhard Übelacker <bernhardu@...lbox.org>
To: linux-kernel@...r.kernel.org
Cc: Peter Zijlstra <peterz@...radead.org>
Subject: linux-perf-5.2: perf report: segmentation fault accessing
browser->he_selection
Hello,
in Debian bug [943398] another user reported a crash of the
perf application. I tried triaging the issue.
I could reproduce the issue using linux-perf-5.2
and it is also visible in linux-perf-5.4 5.4.8-1
With following commands:
perf record ls
perf report perf.data
# Press enter
The crash happens because in line 3172
function hist_browser__selected_entry returns
browser->he_selection, which is at this time a
null pointer.
This null pointer gets dereferenced to
access the res_samples member.
Other occourences of browser->he_selection being null
seem to get fixed in [1], but this is
already contained in 5.4 while a crash still happens.
It got reported to be visible also in 5.5~rc5.
Kind regards,
Bernhard
Program received signal SIGSEGV, Segmentation fault.
(rr) bt
#0 perf_evsel__hists_browse (evsel=0x55e794ebcb40, nr_events=nr_events@...ry=1, helpline=helpline@...ry=0x55e794f7c040 "Tip: System-wide collection from all CPUs: perf record -a", left_exits=left_exits@...ry=false, hbt=hbt@...ry=0x0, min_pcnt=<optimized out>, env=env@...ry=0x55e794eb54f0, warn_lost_event=true, annotation_opts=0x7ffcc3063dc8) at ui/browsers/hists.c:3170
#1 0x000055e79385cce9 in perf_evlist__tui_browse_hists (evlist=evlist@...ry=0x55e794ebc0c0, help=help@...ry=0x55e794f7c040 "Tip: System-wide collection from all CPUs: perf record -a", hbt=hbt@...ry=0x0, min_pcnt=<optimized out>, env=env@...ry=0x55e794eb54f0, warn_lost_event=warn_lost_event@...ry=true, annotation_opts=annotation_opts@...ry=0x7ffcc3063dc8) at ui/browsers/hists.c:3422
#2 0x000055e7936f1ece in report__browse_hists (rep=0x7ffcc3063c30) at builtin-report.c:585
#3 __cmd_report (rep=0x7ffcc3063c30) at builtin-report.c:930
#4 cmd_report (argc=<optimized out>, argv=<optimized out>) at builtin-report.c:1475
#5 0x000055e79375b823 in run_builtin (p=0x55e793a9ef90 <commands+240>, argc=2, argv=0x7ffcc30661f0) at perf.c:312
#6 0x000055e7936d6a2c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:364
#7 run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:408
#8 main (argc=2, argv=0x7ffcc30661f0) at perf.c:538
https://sources.debian.org/src/linux/5.4.8-1/tools/perf/ui/browsers/hists.c/#L2217
2217 static struct hist_entry *hist_browser__selected_entry(struct hist_browser *browser)
2218 {
2219 return browser->he_selection;
2220 }
https://sources.debian.org/src/linux/5.4.8-1/tools/perf/ui/browsers/hists.c/#L3170
3170 nr_options += add_res_sample_opt(browser, &actions[nr_options],
3171 &options[nr_options],
3172 hist_browser__selected_entry(browser)->res_samples,
3173 evsel, A_NORMAL);
[943398] https://bugs.debian.org/943398
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/tools/perf/ui/browsers/hists.c?id=ceb75476db1617a88cc29b09839acacb69aa076e
Powered by blists - more mailing lists