lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 10 Jul 2023 14:00:26 +0200
From:   Peter Zijlstra <peterz@...radead.org>
To:     Shuai Xue <xueshuai@...ux.alibaba.com>
Cc:     alexander.shishkin@...ux.intel.com, james.clark@....com,
        leo.yan@...aro.org, mingo@...hat.com,
        baolin.wang@...ux.alibaba.com, acme@...nel.org,
        mark.rutland@....com, jolsa@...nel.org, namhyung@...nel.org,
        irogers@...gle.com, adrian.hunter@...el.com,
        linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org,
        bpf@...r.kernel.org
Subject: Re: [Patch v2] perf/core: Bail out early if the request AUX area is
 out of bound

On Tue, Jun 13, 2023 at 08:32:11PM +0800, Shuai Xue wrote:

>  kernel/events/ring_buffer.c              | 13 +++++++++++++
>  tools/perf/Documentation/perf-record.txt |  3 ++-
>  2 files changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
> index a0433f37b024..e514aaba9d42 100644
> --- a/kernel/events/ring_buffer.c
> +++ b/kernel/events/ring_buffer.c
> @@ -673,6 +673,7 @@ int rb_alloc_aux(struct perf_buffer *rb, struct perf_event *event,
>  	bool overwrite = !(flags & RING_BUFFER_WRITABLE);
>  	int node = (event->cpu == -1) ? -1 : cpu_to_node(event->cpu);
>  	int ret = -ENOMEM, max_order;
> +	size_t bytes;
>  
>  	if (!has_aux(event))
>  		return -EOPNOTSUPP;
> @@ -699,6 +700,18 @@ int rb_alloc_aux(struct perf_buffer *rb, struct perf_event *event,
>  		watermark = 0;
>  	}
>  
> +	/*
> +	 * 'rb->aux_pages' allocated by kcalloc() is a pointer array which is
> +	 * used to maintains AUX trace pages. The allocated page for this array
> +	 * is physically contiguous (and virtually contiguous) with an order of
> +	 * 0..MAX_ORDER. If the size of pointer array crosses the limitation set
> +	 * by MAX_ORDER, it reveals a WARNING.
> +	 *
> +	 * So bail out early if the request AUX area is out of bound.
> +	 */
> +	if (check_mul_overflow(nr_pages, sizeof(void *), &bytes) ||
> +	    get_order(bytes) > MAX_ORDER)
> +		return -EINVAL;

This is all quite horrific :/ What's wrong with something simple:

	/* Can't allocate more than MAX_ORDER  */
	if (get_order((unsigned long)nr_pages * sizeof(void*)) > MAX_ORDER)
		return -EINVAL;

If you're on 32bit then nr_pages should never be big enough to overflow,
fundamentally you'll only have 32-PAGE_SHIFT bits in nr_pages.


>  	rb->aux_pages = kcalloc_node(nr_pages, sizeof(void *), GFP_KERNEL,
>  				     node);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ