| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Apr 2022 12:30:13 -0300
From: Arnaldo Carvalho de Melo <acme@...nel.org>
To: Jiri Olsa <olsajiri@...il.com>
Cc: Denis Nikitin <denik@...omium.org>,
linux-perf-users@...r.kernel.org, jolsa@...nel.org,
alexey.budankov@...ux.intel.com,
alexander.shishkin@...ux.intel.com, namhyung@...nel.org,
james.clark@....com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] perf session: Remap buf if there is no space for event
Em Thu, Mar 31, 2022 at 01:44:43PM +0200, Jiri Olsa escreveu:
> On Tue, Mar 29, 2022 at 08:11:30PM -0700, Denis Nikitin wrote:
> > If a perf event doesn't fit into remaining buffer space return NULL to
> > remap buf and fetch the event again.
> > Keep the logic to error out on inadequate input from fuzzing.
> >
> > This fixes perf failing on ChromeOS (with 32b userspace):
> >
> > $ perf report -v -i perf.data
> > ...
> > prefetch_event: head=0x1fffff8 event->header_size=0x30, mmap_size=0x2000000: fuzzed or compressed perf.data?
> > Error:
> > failed to process sample
> >
> > Fixes: 57fc032ad643 ("perf session: Avoid infinite loop when seeing invalid header.size")
> > Signed-off-by: Denis Nikitin <denik@...omium.org>
>
> Acked-by: Jiri Olsa <jolsa@...nel.org>
Thanks, applied.
- Arnaldo
> thanks,
> jirka
>
> > ---
> > tools/perf/util/session.c | 15 ++++++++++++---
> > 1 file changed, 12 insertions(+), 3 deletions(-)
> >
> > diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
> > index 3b8dfe603e50..45a30040ec8d 100644
> > --- a/tools/perf/util/session.c
> > +++ b/tools/perf/util/session.c
> > @@ -2095,6 +2095,7 @@ prefetch_event(char *buf, u64 head, size_t mmap_size,
> > bool needs_swap, union perf_event *error)
> > {
> > union perf_event *event;
> > + u16 event_size;
> >
> > /*
> > * Ensure we have enough space remaining to read
> > @@ -2107,15 +2108,23 @@ prefetch_event(char *buf, u64 head, size_t mmap_size,
> > if (needs_swap)
> > perf_event_header__bswap(&event->header);
> >
> > - if (head + event->header.size <= mmap_size)
> > + event_size = event->header.size;
> > + if (head + event_size <= mmap_size)
> > return event;
> >
> > /* We're not fetching the event so swap back again */
> > if (needs_swap)
> > perf_event_header__bswap(&event->header);
> >
> > - pr_debug("%s: head=%#" PRIx64 " event->header_size=%#x, mmap_size=%#zx:"
> > - " fuzzed or compressed perf.data?\n",__func__, head, event->header.size, mmap_size);
> > + /* Check if the event fits into the next mmapped buf. */
> > + if (event_size <= mmap_size - head % page_size) {
> > + /* Remap buf and fetch again. */
> > + return NULL;
> > + }
> > +
> > + /* Invalid input. Event size should never exceed mmap_size. */
> > + pr_debug("%s: head=%#" PRIx64 " event->header.size=%#x, mmap_size=%#zx:"
> > + " fuzzed or compressed perf.data?\n", __func__, head, event_size, mmap_size);
> >
> > return error;
> > }
> > --
> > 2.35.1.1021.g381101b075-goog
> >
--
- Arnaldo
Powered by blists - more mailing lists