| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Apr 2023 22:17:18 -0700
From: Ian Rogers <irogers@...gle.com>
To: Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...nel.org>,
Namhyung Kim <namhyung@...nel.org>,
Ian Rogers <irogers@...gle.com>,
Adrian Hunter <adrian.hunter@...el.com>,
linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org,
bpf@...r.kernel.org
Subject: [PATCH] perf bperf: Avoid use after free via union
If bperf sets leader_skel or follower_skel then it appears bpf_skel is
set and can trigger the following use-after-free:
==13575==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000014080 at pc 0x55684b939880 bp 0x7ffdfcf30d70 sp 0x7ffdfcf30d68
READ of size 8 at 0x60c000014080 thread T0
#0 0x55684b93987f in sample_filter_bpf__destroy tools/perf/bpf_skel/sample_filter.skel.h:44:11
#1 0x55684b93987f in perf_bpf_filter__destroy tools/perf/util/bpf-filter.c:155:2
#2 0x55684b98f71e in evsel__exit tools/perf/util/evsel.c:1521:2
#3 0x55684b98a352 in evsel__delete tools/perf/util/evsel.c:1547:2
#4 0x55684b981918 in evlist__purge tools/perf/util/evlist.c:148:3
#5 0x55684b981918 in evlist__delete tools/perf/util/evlist.c:169:2
#6 0x55684b887d60 in cmd_stat tools/perf/builtin-stat.c:2598:2
..
0x60c000014080 is located 0 bytes inside of 128-byte region [0x60c000014080,0x60c000014100)
freed by thread T0 here:
#0 0x55684b780e86 in free compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x55684b9462da in bperf_cgroup_bpf__destroy tools/perf/bpf_skel/bperf_cgroup.skel.h:61:2
#2 0x55684b9462da in bperf_cgrp__destroy tools/perf/util/bpf_counter_cgroup.c:282:2
#3 0x55684b944c75 in bpf_counter__destroy tools/perf/util/bpf_counter.c:819:2
#4 0x55684b98f716 in evsel__exit tools/perf/util/evsel.c:1520:2
#5 0x55684b98a352 in evsel__delete tools/perf/util/evsel.c:1547:2
#6 0x55684b981918 in evlist__purge tools/perf/util/evlist.c:148:3
#7 0x55684b981918 in evlist__delete tools/perf/util/evlist.c:169:2
#8 0x55684b887d60 in cmd_stat tools/perf/builtin-stat.c:2598:2
...
previously allocated by thread T0 here:
#0 0x55684b781338 in calloc compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
#1 0x55684b944e25 in bperf_cgroup_bpf__open_opts tools/perf/bpf_skel/bperf_cgroup.skel.h:73:35
#2 0x55684b944e25 in bperf_cgroup_bpf__open tools/perf/bpf_skel/bperf_cgroup.skel.h:97:9
#3 0x55684b944e25 in bperf_load_program tools/perf/util/bpf_counter_cgroup.c:55:9
#4 0x55684b944e25 in bperf_cgrp__load tools/perf/util/bpf_counter_cgroup.c:178:23
#5 0x55684b889289 in __run_perf_stat tools/perf/builtin-stat.c:713:7
#6 0x55684b889289 in run_perf_stat tools/perf/builtin-stat.c:949:8
#7 0x55684b888029 in cmd_stat tools/perf/builtin-stat.c:2537:12
Resolve by clearing bpf_skel as part of bpf_counter__destroy.
Suggested-by: Namhyung Kim <namhyung@...nel.org>
Signed-off-by: Ian Rogers <irogers@...gle.com>
---
tools/perf/util/bpf_counter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/perf/util/bpf_counter.c b/tools/perf/util/bpf_counter.c
index bee3fe0905f6..d9677a51eae1 100644
--- a/tools/perf/util/bpf_counter.c
+++ b/tools/perf/util/bpf_counter.c
@@ -818,4 +818,5 @@ void bpf_counter__destroy(struct evsel *evsel)
return;
evsel->bpf_counter_ops->destroy(evsel);
evsel->bpf_counter_ops = NULL;
+ evsel->bpf_skel = NULL;
}
--
2.40.0.577.gac1e443424-goog
Powered by blists - more mailing lists