lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YlGmhS5O4VZEn4wV@kernel.org>
Date:   Sat, 9 Apr 2022 12:30:13 -0300
From:   Arnaldo Carvalho de Melo <acme@...nel.org>
To:     Jiri Olsa <olsajiri@...il.com>
Cc:     Denis Nikitin <denik@...omium.org>,
        linux-perf-users@...r.kernel.org, jolsa@...nel.org,
        alexey.budankov@...ux.intel.com,
        alexander.shishkin@...ux.intel.com, namhyung@...nel.org,
        james.clark@....com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] perf session: Remap buf if there is no space for event

Em Thu, Mar 31, 2022 at 01:44:43PM +0200, Jiri Olsa escreveu:
> On Tue, Mar 29, 2022 at 08:11:30PM -0700, Denis Nikitin wrote:
> > If a perf event doesn't fit into remaining buffer space return NULL to
> > remap buf and fetch the event again.
> > Keep the logic to error out on inadequate input from fuzzing.
> > 
> > This fixes perf failing on ChromeOS (with 32b userspace):
> > 
> >   $ perf report -v -i perf.data
> >   ...
> >   prefetch_event: head=0x1fffff8 event->header_size=0x30, mmap_size=0x2000000: fuzzed or compressed perf.data?
> >   Error:
> >   failed to process sample
> > 
> > Fixes: 57fc032ad643 ("perf session: Avoid infinite loop when seeing invalid header.size")
> > Signed-off-by: Denis Nikitin <denik@...omium.org>
> 
> Acked-by: Jiri Olsa <jolsa@...nel.org>

Thanks, applied.

- Arnaldo

 
> thanks,
> jirka
> 
> > ---
> >  tools/perf/util/session.c | 15 ++++++++++++---
> >  1 file changed, 12 insertions(+), 3 deletions(-)
> > 
> > diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
> > index 3b8dfe603e50..45a30040ec8d 100644
> > --- a/tools/perf/util/session.c
> > +++ b/tools/perf/util/session.c
> > @@ -2095,6 +2095,7 @@ prefetch_event(char *buf, u64 head, size_t mmap_size,
> >  	       bool needs_swap, union perf_event *error)
> >  {
> >  	union perf_event *event;
> > +	u16 event_size;
> >  
> >  	/*
> >  	 * Ensure we have enough space remaining to read
> > @@ -2107,15 +2108,23 @@ prefetch_event(char *buf, u64 head, size_t mmap_size,
> >  	if (needs_swap)
> >  		perf_event_header__bswap(&event->header);
> >  
> > -	if (head + event->header.size <= mmap_size)
> > +	event_size = event->header.size;
> > +	if (head + event_size <= mmap_size)
> >  		return event;
> >  
> >  	/* We're not fetching the event so swap back again */
> >  	if (needs_swap)
> >  		perf_event_header__bswap(&event->header);
> >  
> > -	pr_debug("%s: head=%#" PRIx64 " event->header_size=%#x, mmap_size=%#zx:"
> > -		 " fuzzed or compressed perf.data?\n",__func__, head, event->header.size, mmap_size);
> > +	/* Check if the event fits into the next mmapped buf. */
> > +	if (event_size <= mmap_size - head % page_size) {
> > +		/* Remap buf and fetch again. */
> > +		return NULL;
> > +	}
> > +
> > +	/* Invalid input. Event size should never exceed mmap_size. */
> > +	pr_debug("%s: head=%#" PRIx64 " event->header.size=%#x, mmap_size=%#zx:"
> > +		 " fuzzed or compressed perf.data?\n", __func__, head, event_size, mmap_size);
> >  
> >  	return error;
> >  }
> > -- 
> > 2.35.1.1021.g381101b075-goog
> > 

-- 

- Arnaldo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ