| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Nov 2023 11:28:24 -0800
From: Ian Rogers <irogers@...gle.com>
To: Namhyung Kim <namhyung@...nel.org>
Cc: Guilherme Amadio <amadio@...too.org>,
Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...nel.org>,
Adrian Hunter <adrian.hunter@...el.com>,
Nick Terrell <terrelln@...com>,
Kan Liang <kan.liang@...ux.intel.com>,
Andi Kleen <ak@...ux.intel.com>,
Kajol Jain <kjain@...ux.ibm.com>,
Athira Rajeev <atrajeev@...ux.vnet.ibm.com>,
Huacai Chen <chenhuacai@...nel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Vincent Whitchurch <vincent.whitchurch@...s.com>,
"Steinar H. Gunderson" <sesse@...gle.com>,
Liam Howlett <liam.howlett@...cle.com>,
Miguel Ojeda <ojeda@...nel.org>,
Colin Ian King <colin.i.king@...il.com>,
Dmitrii Dolgov <9erthalion6@...il.com>,
Yang Jihong <yangjihong1@...wei.com>,
Ming Wang <wangming01@...ngson.cn>,
James Clark <james.clark@....com>,
K Prateek Nayak <kprateek.nayak@....com>,
Sean Christopherson <seanjc@...gle.com>,
Leo Yan <leo.yan@...aro.org>,
Ravi Bangoria <ravi.bangoria@....com>,
German Gomez <german.gomez@....com>,
Changbin Du <changbin.du@...wei.com>,
Paolo Bonzini <pbonzini@...hat.com>, Li Dong <lidong@...o.com>,
Sandipan Das <sandipan.das@....com>,
liuwenyu <liuwenyu7@...wei.com>, linux-kernel@...r.kernel.org,
linux-perf-users@...r.kernel.org
Subject: Re: [PATCH v4 03/53] libperf: Lazily allocate mmap event copy
On Sun, Nov 5, 2023 at 10:12 AM Namhyung Kim <namhyung@...nel.org> wrote:
>
> On Fri, Nov 3, 2023 at 8:49 AM Ian Rogers <irogers@...gle.com> wrote:
> >
> > On Fri, Nov 3, 2023 at 1:33 AM Guilherme Amadio <amadio@...too.org> wrote:
> > >
> > > Hi,
> > >
> > > On Thu, Nov 02, 2023 at 10:56:45AM -0700, Ian Rogers wrote:
> > > > The event copy in the mmap is used to have storage to a read
> > > > event. Not all users of mmaps read the events, such as perf record, so
> > > > switch the allocation to being on first read rather than being
> > > > embedded within the perf_mmap.
> > > >
> > > > Signed-off-by: Ian Rogers <irogers@...gle.com>
> > > > ---
> > > > tools/lib/perf/include/internal/mmap.h | 2 +-
> > > > tools/lib/perf/mmap.c | 9 +++++++++
> > > > 2 files changed, 10 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/tools/lib/perf/include/internal/mmap.h b/tools/lib/perf/include/internal/mmap.h
> > > > index 5a062af8e9d8..b11aaf5ed645 100644
> > > > --- a/tools/lib/perf/include/internal/mmap.h
> > > > +++ b/tools/lib/perf/include/internal/mmap.h
> > > > @@ -33,7 +33,7 @@ struct perf_mmap {
> > > > bool overwrite;
> > > > u64 flush;
> > > > libperf_unmap_cb_t unmap_cb;
> > > > - char event_copy[PERF_SAMPLE_MAX_SIZE] __aligned(8);
> > > > + void *event_copy;
> > > > struct perf_mmap *next;
> > > > };
> > > >
> > > > diff --git a/tools/lib/perf/mmap.c b/tools/lib/perf/mmap.c
> > > > index 2184814b37dd..91ae46aac378 100644
> > > > --- a/tools/lib/perf/mmap.c
> > > > +++ b/tools/lib/perf/mmap.c
> > > > @@ -51,6 +51,8 @@ int perf_mmap__mmap(struct perf_mmap *map, struct perf_mmap_param *mp,
> > > >
> > > > void perf_mmap__munmap(struct perf_mmap *map)
> > > > {
> > > > + free(map->event_copy);
> > > > + map->event_copy = NULL;
> > > > if (map && map->base != NULL) {
> > >
> > > If map can be NULL as the if statement above suggests, then there is a
> > > potential a null pointer dereference bug here. Suggestion:
> > >
> > > if (!map)
> > > return;
> > >
> > > free(map->event_copy);
> > > map->event_copy = NULL;
> > > if (map->base != NULL) {
> > >
> > > ...
> >
> > Makes sense, will fix in v5. Waiting to get additional feedback to
> > avoid too much email.
>
> Acked-by: Namhyung Kim <namhyung@...nel.org>
>
>
> But I have another concern (not related to this change).
>
> > >
> > > > munmap(map->base, perf_mmap__mmap_len(map));
> > > > map->base = NULL;
> > > > @@ -226,6 +228,13 @@ static union perf_event *perf_mmap__read(struct perf_mmap *map,
> > > > unsigned int len = min(sizeof(*event), size), cpy;
>
> I'm not sure if it's ok to read less than the actual size, IOW
> it seems to assume 'size' is smaller than sizeof(*event).
> I guess it's true for most cases as union perf_event has
> perf_record_mmap2 (among others) which contains a
> filename array of size PATH_MAX.
>
> But the SAMPLE record can be larger than that when it has
> PERF_SAMPLE_AUX IIRC. It'd happen only if it crossed the mmap
> boundary and I'm afraid it'd corrupt the data.
Thanks, I was thinking this would just be a drop in change but I think
given this feedback it would be better to switch from allocating once
a PERF_SAMPLE_MAX_SIZE buffer to allocating or reallocating one based
on size. This potentially saves memory when size is less than
PERF_SAMPLE_MAX_SIZE and by removing the min calculation for the
amount copied (len) we can potentially exceed it and fix a potential
bug. I'll add this in v5.
Thanks,
Ian
> Thanks,
> Namhyung
>
>
> > > > void *dst = map->event_copy;
> > > >
> > > > + if (!dst) {
> > > > + dst = malloc(PERF_SAMPLE_MAX_SIZE);
> > > > + if (!dst)
> > > > + return NULL;
> > > > + map->event_copy = dst;
> > > > + }
> > > > +
> > > > do {
> > > > cpy = min(map->mask + 1 - (offset & map->mask), len);
> > > > memcpy(dst, &data[offset & map->mask], cpy);
> > > > --
> > > > 2.42.0.869.gea05f2083d-goog
> > > >
> > > >
Powered by blists - more mailing lists