lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 10 Jul 2023 20:26:14 +0800
From:   Shuai Xue <xueshuai@...ux.alibaba.com>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     alexander.shishkin@...ux.intel.com, james.clark@....com,
        leo.yan@...aro.org, mingo@...hat.com,
        baolin.wang@...ux.alibaba.com, acme@...nel.org,
        mark.rutland@....com, jolsa@...nel.org, namhyung@...nel.org,
        irogers@...gle.com, adrian.hunter@...el.com,
        linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org,
        bpf@...r.kernel.org
Subject: Re: [Patch v2] perf/core: Bail out early if the request AUX area is
 out of bound



On 2023/7/10 20:00, Peter Zijlstra wrote:
> On Tue, Jun 13, 2023 at 08:32:11PM +0800, Shuai Xue wrote:
> 
>>  kernel/events/ring_buffer.c              | 13 +++++++++++++
>>  tools/perf/Documentation/perf-record.txt |  3 ++-
>>  2 files changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
>> index a0433f37b024..e514aaba9d42 100644
>> --- a/kernel/events/ring_buffer.c
>> +++ b/kernel/events/ring_buffer.c
>> @@ -673,6 +673,7 @@ int rb_alloc_aux(struct perf_buffer *rb, struct perf_event *event,
>>  	bool overwrite = !(flags & RING_BUFFER_WRITABLE);
>>  	int node = (event->cpu == -1) ? -1 : cpu_to_node(event->cpu);
>>  	int ret = -ENOMEM, max_order;
>> +	size_t bytes;
>>  
>>  	if (!has_aux(event))
>>  		return -EOPNOTSUPP;
>> @@ -699,6 +700,18 @@ int rb_alloc_aux(struct perf_buffer *rb, struct perf_event *event,
>>  		watermark = 0;
>>  	}
>>  
>> +	/*
>> +	 * 'rb->aux_pages' allocated by kcalloc() is a pointer array which is
>> +	 * used to maintains AUX trace pages. The allocated page for this array
>> +	 * is physically contiguous (and virtually contiguous) with an order of
>> +	 * 0..MAX_ORDER. If the size of pointer array crosses the limitation set
>> +	 * by MAX_ORDER, it reveals a WARNING.
>> +	 *
>> +	 * So bail out early if the request AUX area is out of bound.
>> +	 */
>> +	if (check_mul_overflow(nr_pages, sizeof(void *), &bytes) ||
>> +	    get_order(bytes) > MAX_ORDER)
>> +		return -EINVAL;
> 
> This is all quite horrific :/ What's wrong with something simple:
> 
> 	/* Can't allocate more than MAX_ORDER  */
> 	if (get_order((unsigned long)nr_pages * sizeof(void*)) > MAX_ORDER)
> 		return -EINVAL;
> 
> If you're on 32bit then nr_pages should never be big enough to overflow,
> fundamentally you'll only have 32-PAGE_SHIFT bits in nr_pages.

Well, you are right. Thank you for pointing it out.
I will send a new version with your simplified code :)

Best Regards,
Shuai

> 
> 
>>  	rb->aux_pages = kcalloc_node(nr_pages, sizeof(void *), GFP_KERNEL,
>>  				     node);
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ