lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42c6ea29-5904-bb8b-d9c6-a0516c3a564f@arm.com>
Date:   Fri, 10 Dec 2021 15:28:56 +0000
From:   German Gomez <german.gomez@....com>
To:     Arnaldo Carvalho de Melo <acme@...nel.org>,
        kajoljain <kjain@...ux.ibm.com>
Cc:     linux-kernel@...r.kernel.org, linux-perf-users@...r.kernel.org,
        John Garry <john.garry@...wei.com>,
        Will Deacon <will@...nel.org>,
        Mathieu Poirier <mathieu.poirier@...aro.org>,
        Leo Yan <leo.yan@...aro.org>,
        Mark Rutland <mark.rutland@....com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Jiri Olsa <jolsa@...hat.com>,
        Namhyung Kim <namhyung@...nel.org>,
        linux-arm-kernel@...ts.infradead.org, linux-csky@...r.kernel.org,
        linux-riscv@...ts.infradead.org
Subject: Re: [PATCH v1 1/4] perf tools: Prevent out-of-bounds access to
 registers


On 10/12/2021 13:38, Arnaldo Carvalho de Melo wrote:
> Em Fri, Dec 10, 2021 at 02:47:49PM +0530, kajoljain escreveu:
>>
>> On 12/1/21 6:03 PM, German Gomez wrote:
>>> The size of the cache of register values is arch-dependant
>>> (PERF_REGS_MAX). This has the potential of causing an out-of-bounds
>>> access in the function "perf_reg_value" if the local architecture
>>> contains less registers than the one the perf.data file was recorded on.
>>>
>>> Since the maximum number of registers is bound by the bitmask "u64
>>> cache_mask", and the size of the cache when running under x86 systems is
>>> 64 already, fix the size to 64 and add a range-check to the function
>>> "perf_reg_value" to prevent out-of-bounds access.
>>>
>> Patch looks good to me.
>>
>> Reviewed-by: Kajol Jain<kjain@...ux.ibm.com>
> Thanks, applied.
>
> - Arnaldo

Thanks Arnaldo, and the rest for the review.

I did send a v2 of this patch afterwards. The only difference was to
give credit to the reporter in the commit message with:

Reported-by: Alexandre Truong <alexandre.truong@....com>

Thanks,
German

>  
>> Thanks,
>> Kajol Jain
>>
>>> Signed-off-by: German Gomez <german.gomez@....com>
>>> ---
>>>  tools/perf/util/event.h     | 5 ++++-
>>>  tools/perf/util/perf_regs.c | 3 +++
>>>  2 files changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/tools/perf/util/event.h b/tools/perf/util/event.h
>>> index 95ffed663..c59331eea 100644
>>> --- a/tools/perf/util/event.h
>>> +++ b/tools/perf/util/event.h
>>> @@ -44,13 +44,16 @@ struct perf_event_attr;
>>>  /* perf sample has 16 bits size limit */
>>>  #define PERF_SAMPLE_MAX_SIZE (1 << 16)
>>>  
>>> +/* number of register is bound by the number of bits in regs_dump::mask (64) */
>>> +#define PERF_SAMPLE_REGS_CACHE_SIZE (8 * sizeof(u64))
>>> +
>>>  struct regs_dump {
>>>  	u64 abi;
>>>  	u64 mask;
>>>  	u64 *regs;
>>>  
>>>  	/* Cached values/mask filled by first register access. */
>>> -	u64 cache_regs[PERF_REGS_MAX];
>>> +	u64 cache_regs[PERF_SAMPLE_REGS_CACHE_SIZE];
>>>  	u64 cache_mask;
>>>  };
>>>  
>>> diff --git a/tools/perf/util/perf_regs.c b/tools/perf/util/perf_regs.c
>>> index 5ee47ae15..06a7461ba 100644
>>> --- a/tools/perf/util/perf_regs.c
>>> +++ b/tools/perf/util/perf_regs.c
>>> @@ -25,6 +25,9 @@ int perf_reg_value(u64 *valp, struct regs_dump *regs, int id)
>>>  	int i, idx = 0;
>>>  	u64 mask = regs->mask;
>>>  
>>> +	if ((u64)id >= PERF_SAMPLE_REGS_CACHE_SIZE)
>>> +		return -EINVAL;
>>> +
>>>  	if (regs->cache_mask & (1ULL << id))
>>>  		goto out;
>>>  
>>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ