lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c98e8399-1471-4d38-b314-4fbcb8dcb27d@linaro.org>
Date: Fri, 20 Dec 2024 17:16:21 +0000
From: James Clark <james.clark@...aro.org>
To: Nihar Chaithanya <niharchaithanya@...il.com>, Leo Yan <leo.yan@....com>
Cc: skhan@...uxfoundation.org, john.g.garry@...cle.com, will@...nel.org,
 mike.leach@...aro.org, leo.yan@...ux.dev, peterz@...radead.org,
 mingo@...hat.com, acme@...nel.org, namhyung@...nel.org,
 mark.rutland@....com, alexander.shishkin@...ux.intel.com, jolsa@...nel.org,
 irogers@...gle.com, adrian.hunter@...el.com, kan.liang@...ux.intel.com,
 graham.woodward@....com, bwicaksono@...dia.com,
 linux-arm-kernel@...ts.infradead.org, linux-perf-users@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] perf: arm-spe: Fix null-ptr-deref in
 arm_spe__alloc_metadata()



On 20/12/2024 2:57 pm, Nihar Chaithanya wrote:
> When metadata is allocated using arm_spe__alloc_metadata(), if the
> metadata version is 1, metadata is returned as NULL. This value
> is dereferenced later in arm_spe__free_metadata() and it can cause
> null-ptr-deref.
> 
> Modify the NULL check for metadata to return -EINVAL even when
> metadata_ver == 1.
> 

Hi Nihar,

I don't think this is the right fix. Doesn't that mean we can't open 
files with V1 anymore? Did you test opening an old SPE file on a new 
version of Perf? I actually thought I tested this before but maybe not 
if there's a NULL deref.

Seems like the correct fix is to not dereference anything if metadata is 
NULL, or make a fake placeholder one.


> This issue was reported by Coverity scan [1].
> [1] https://scan5.scan.coverity.com/#/project-view/63616/10063?selectedIssue=1636359
> 

Is this supposed to be publicly accessible? It goes to a login page for me.

> Closes: https://scan5.scan.coverity.com/#/project-view/63616/10063?selectedIssue=1636359
> Signed-off-by: Nihar Chaithanya <niharchaithanya@...il.com>

Probably needs a fixes: tag too for the commit that introduced the issue.

Thanks
James

> ---
>   tools/perf/util/arm-spe.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/perf/util/arm-spe.c b/tools/perf/util/arm-spe.c
> index dbf13f47879c..55827d8ce133 100644
> --- a/tools/perf/util/arm-spe.c
> +++ b/tools/perf/util/arm-spe.c
> @@ -1497,7 +1497,7 @@ int arm_spe_process_auxtrace_info(union perf_event *event,
>   
>   	metadata = arm_spe__alloc_metadata(auxtrace_info, &metadata_ver,
>   					   &nr_cpu);
> -	if (!metadata && metadata_ver != 1) {
> +	if (!metadata) {
>   		pr_err("Failed to parse Arm SPE metadata.\n");
>   		return -EINVAL;
>   	}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ