lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 25 Jan 2024 15:31:24 -0800
From: Namhyung Kim <namhyung@...nel.org>
To: Ian Rogers <irogers@...gle.com>
Cc: kotborealis@...oo.ru, Peter Zijlstra <peterz@...radead.org>, 
	Ingo Molnar <mingo@...hat.com>, Arnaldo Carvalho de Melo <acme@...nel.org>, Mark Rutland <mark.rutland@....com>, 
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Jiri Olsa <jolsa@...nel.org>, 
	Adrian Hunter <adrian.hunter@...el.com>, linux-perf-users@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] perf data convert: Output empty string for null pointer

Hello,

On Thu, Jan 25, 2024 at 12:59 PM Ian Rogers <irogers@...gle.com> wrote:
>
> On Thu, Jan 25, 2024 at 10:44 AM <kotborealis@...oo.ru> wrote:
> >
> > From: Evgeny Pistun <kotborealis@...oo.ru>
> >
> > Providing ill-formed input to `perf data conver --to-json`
> > causes it to crash with segmentaton fault. There's a bug in
> > `output_json_string` functon: input string is not validated.
> > This could be reproduced by crafting input that does not specify
> > hostname/os-release/etc, which are written to 'headers' section of
> > outputted json.
> >
> > This patch adds a null pointer check. If `output_json_string` is
> > called with a null pointer, it should output empty string (`""`).
> >
> > Signed-off-by: Evgeny Pistun <kotborealis@...oo.ru>
>
> Reviewed-by: Ian Rogers <irogers@...gle.com>

I think this is related to this one:

  https://lore.kernel.org/linux-perf-users/20240117215101.77713-1-ilkka@os.amperecomputing.com/

I'm ok with making it robust, but also afraid it might
end up with a broken JSON if something is missing in
{ key: value } format.  IOW we may need to handle it in
a higher layer.

Thanks,
Namhyung

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ