| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZjqNjrJ2ElrT11iB@x1>
Date: Tue, 7 May 2024 17:22:38 -0300
From: Arnaldo Carvalho de Melo <acme@...nel.org>
To: Ian Rogers <irogers@...gle.com>
Cc: Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>,
Namhyung Kim <namhyung@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...nel.org>,
Adrian Hunter <adrian.hunter@...el.com>,
Kan Liang <kan.liang@...ux.intel.com>,
Oliver Upton <oliver.upton@...ux.dev>,
James Clark <james.clark@....com>,
Tim Chen <tim.c.chen@...ux.intel.com>,
Yicong Yang <yangyicong@...ilicon.com>,
K Prateek Nayak <kprateek.nayak@....com>,
Yanteng Si <siyanteng@...ngson.cn>,
Sun Haiyong <sunhaiyong@...ngson.cn>,
Kajol Jain <kjain@...ux.ibm.com>,
Ravi Bangoria <ravi.bangoria@....com>, Li Dong <lidong@...o.com>,
Paran Lee <p4ranlee@...il.com>, Ben Gainey <ben.gainey@....com>,
Andi Kleen <ak@...ux.intel.com>,
Athira Rajeev <atrajeev@...ux.vnet.ibm.com>,
linux-kernel@...r.kernel.org, linux-perf-users@...r.kernel.org
Subject: Re: [PATCH v1 1/8] perf ui browser: Don't save pointer to stack
memory
On Tue, May 07, 2024 at 05:20:59PM -0300, Arnaldo Carvalho de Melo wrote:
> On Tue, May 07, 2024 at 11:35:38AM -0700, Ian Rogers wrote:
> > ui_browser__show is capturing the input title that is stack allocated
> > memory in hist_browser__run. Avoid a use after return by strdup-ing
> > the string.
>
> But everything happens in that context, i.e. hist_brower__run() will
> call ui_browser__ methods and then exit.
>
> We end up having browser->title pointing to returned stack memory
> (invalid) but there will be no references to it, no?
>
> If we return to hist_browser__run() we then call ui_browser__show
> passing a new title, for "live" stack memory, rinse repeat. Or have you
> noticed an actual use-after-"free"?
And I'll take the patch, I'm just trying to figure it out if it fixed a
real bug or if it just makes the code more future proof, i.e. to avoid
us adding code that actually uses invalid stack memory.
- Arnaldo
> - Arnaldo
>
> > Fixes: 05e8b0804ec4 ("perf ui browser: Stop using 'self'")
> > Signed-off-by: Ian Rogers <irogers@...gle.com>
> > ---
> > tools/perf/ui/browser.c | 4 +++-
> > tools/perf/ui/browser.h | 2 +-
> > 2 files changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/tools/perf/ui/browser.c b/tools/perf/ui/browser.c
> > index 603d11283cbd..c4cdf2ea69b7 100644
> > --- a/tools/perf/ui/browser.c
> > +++ b/tools/perf/ui/browser.c
> > @@ -287,7 +287,8 @@ int ui_browser__show(struct ui_browser *browser, const char *title,
> > mutex_lock(&ui__lock);
> > __ui_browser__show_title(browser, title);
> >
> > - browser->title = title;
> > + free(browser->title);
> > + browser->title = strdup(title);
> > zfree(&browser->helpline);
> >
> > va_start(ap, helpline);
> > @@ -304,6 +305,7 @@ void ui_browser__hide(struct ui_browser *browser)
> > mutex_lock(&ui__lock);
> > ui_helpline__pop();
> > zfree(&browser->helpline);
> > + zfree(&browser->title);
> > mutex_unlock(&ui__lock);
> > }
> >
> > diff --git a/tools/perf/ui/browser.h b/tools/perf/ui/browser.h
> > index 510ce4554050..6e98d5f8f71c 100644
> > --- a/tools/perf/ui/browser.h
> > +++ b/tools/perf/ui/browser.h
> > @@ -21,7 +21,7 @@ struct ui_browser {
> > u8 extra_title_lines;
> > int current_color;
> > void *priv;
> > - const char *title;
> > + char *title;
> > char *helpline;
> > const char *no_samples_msg;
> > void (*refresh_dimensions)(struct ui_browser *browser);
> > --
> > 2.45.0.rc1.225.g2a3ae87e7f-goog
Powered by blists - more mailing lists