lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAH0uvogzMcLXmr9KLT8CzmC0u4UgQ_2QGrpdOCzWWDjQbCL=Uw@mail.gmail.com>
Date: Mon, 6 Jan 2025 00:20:11 -0800
From: Howard Chu <howardchu95@...il.com>
To: Namhyung Kim <namhyung@...nel.org>
Cc: Arnaldo Carvalho de Melo <acme@...nel.org>, Ian Rogers <irogers@...gle.com>, 
	Kan Liang <kan.liang@...ux.intel.com>, Jiri Olsa <jolsa@...nel.org>, 
	Adrian Hunter <adrian.hunter@...el.com>, Peter Zijlstra <peterz@...radead.org>, 
	Ingo Molnar <mingo@...nel.org>, LKML <linux-kernel@...r.kernel.org>, 
	linux-perf-users@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH] perf trace: Fix unaligned access for augmented args

Hello Namhyung,

Thanks for the fix, and sorry for the delay and for making you do
this. I should've done it myself earlier. This bug is present in the
commit without the whole BTF thing.

Here is the commit before '45a0c928e7aa perf trace: BTF-based enum
pretty printing for syscall args'

$ git log --oneline
bfa54a793ba7 (HEAD) driver core: bus: Fix double free in driver API
bus_register()

perf $ UBSAN_OPTIONS=print_stacktrace=1 ./perf trace -- sleep 1
builtin-trace.c:1715:35: runtime error: index 6 out of bounds for type
'syscall_arg_fmt [6]'
    #0 0x5d0994789a74 in syscall__alloc_arg_fmts
/root/hw/linux-perf/tools/perf/builtin-trace.c:1715
    #1 0x5d099478b72c in trace__read_syscall_info
/root/hw/linux-perf/tools/perf/builtin-trace.c:1868
    #2 0x5d099478e571 in trace__syscall_info
/root/hw/linux-perf/tools/perf/builtin-trace.c:2179
    #3 0x5d099479ac81 in trace__init_syscall_bpf_progs
/root/hw/linux-perf/tools/perf/builtin-trace.c:3333
    #4 0x5d099479c28c in trace__init_syscalls_bpf_prog_array_maps
/root/hw/linux-perf/tools/perf/builtin-trace.c:3466
    #5 0x5d09947a0098 in trace__run
/root/hw/linux-perf/tools/perf/builtin-trace.c:3932
    #6 0x5d09947aa62d in cmd_trace
/root/hw/linux-perf/tools/perf/builtin-trace.c:5073
    #7 0x5d09947b6eed in run_builtin /root/hw/linux-perf/tools/perf/perf.c:350
    #8 0x5d09947b7518 in handle_internal_command
/root/hw/linux-perf/tools/perf/perf.c:403
    #9 0x5d09947b77ef in run_argv /root/hw/linux-perf/tools/perf/perf.c:447
    #10 0x5d09947b7d5e in main /root/hw/linux-perf/tools/perf/perf.c:561
    #11 0x7ec47642a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7ec47642a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #13 0x5d0994615d34 in _start
(/root/hw/linux-perf/tools/perf/perf+0x4bdd34) (BuildId:
791904aaae2afa7e7ad7e3aa80a32b71e824abcf)

         ? (         ): sleep/180215  ... [continued]: execve())
                                    = 0
     0.039 ( 0.002 ms): sleep/180215 brk()
                                    = 0x604c45ccb000
     0.075 ( 0.005 ms): sleep/180215 mmap(len: 8192, prot: READ|WRITE,
flags: PRIVATE|ANONYMOUS)           = 0x7ff6de94d000

builtin-trace.c:1531:55: runtime error: member access within
misaligned address 0x7ec47192343c for type 'struct augmented_arg',
which requires 8 byte alignment
0x7ec47192343c: note: pointer points here
  f6 7f 00 00 13 00 00 00  2f 65 74 63 2f 6c 64 2e  73 6f 2e 70 72 65
6c 6f  61 64 00 00 00 00 00 00
              ^
    #0 0x5d0994788527 in syscall_arg__scnprintf_augmented_string
/root/hw/linux-perf/tools/perf/builtin-trace.c:1531
    #1 0x5d09947887ca in syscall_arg__scnprintf_filename
/root/hw/linux-perf/tools/perf/builtin-trace.c:1545
    #2 0x5d099478d436 in syscall_arg_fmt__scnprintf_val
/root/hw/linux-perf/tools/perf/builtin-trace.c:2044
    #3 0x5d099478dd8b in syscall__scnprintf_args
/root/hw/linux-perf/tools/perf/builtin-trace.c:2106
    #4 0x5d0994790c44 in trace__sys_enter
/root/hw/linux-perf/tools/perf/builtin-trace.c:2387
    #5 0x5d0994799ba5 in trace__handle_event
/root/hw/linux-perf/tools/perf/builtin-trace.c:3198
    #6 0x5d099479d3eb in __trace__deliver_event
/root/hw/linux-perf/tools/perf/builtin-trace.c:3635
    #7 0x5d099479d6c9 in trace__deliver_event
/root/hw/linux-perf/tools/perf/builtin-trace.c:3662
    #8 0x5d09947a0cc4 in trace__run
/root/hw/linux-perf/tools/perf/builtin-trace.c:4010
    #9 0x5d09947aa62d in cmd_trace
/root/hw/linux-perf/tools/perf/builtin-trace.c:5073
    #10 0x5d09947b6eed in run_builtin /root/hw/linux-perf/tools/perf/perf.c:350
    #11 0x5d09947b7518 in handle_internal_command
/root/hw/linux-perf/tools/perf/perf.c:403
    #12 0x5d09947b77ef in run_argv /root/hw/linux-perf/tools/perf/perf.c:447
    #13 0x5d09947b7d5e in main /root/hw/linux-perf/tools/perf/perf.c:561
    #14 0x7ec47642a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7ec47642a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #16 0x5d0994615d34 in _start
(/root/hw/linux-perf/tools/perf/perf+0x4bdd34) (BuildId:
791904aaae2afa7e7ad7e3aa80a32b71e824abcf)

     <snip>

trace/beauty/timespec.c:12:9: runtime error: member access within
misaligned address 0x7ec4719264b4 for type 'struct timespec', which
requires 8 byte alignment
0x7ec4719264b4: note: pointer points here
  00 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00
00 00  00 00 00 00 00 00 00 00
              ^
    #0 0x5d09947b02e7 in syscall_arg__scnprintf_augmented_timespec
trace/beauty/timespec.c:12
    #1 0x5d09947b0417 in syscall_arg__scnprintf_timespec
trace/beauty/timespec.c:18
    #2 0x5d099478d436 in syscall_arg_fmt__scnprintf_val
/root/hw/linux-perf/tools/perf/builtin-trace.c:2044
    #3 0x5d099478dd8b in syscall__scnprintf_args
/root/hw/linux-perf/tools/perf/builtin-trace.c:2106
    #4 0x5d0994790c44 in trace__sys_enter
/root/hw/linux-perf/tools/perf/builtin-trace.c:2387
    #5 0x5d0994799ba5 in trace__handle_event
/root/hw/linux-perf/tools/perf/builtin-trace.c:3198
    #6 0x5d099479d3eb in __trace__deliver_event
/root/hw/linux-perf/tools/perf/builtin-trace.c:3635
    #7 0x5d099479d6c9 in trace__deliver_event
/root/hw/linux-perf/tools/perf/builtin-trace.c:3662
    #8 0x5d09947a0cc4 in trace__run
/root/hw/linux-perf/tools/perf/builtin-trace.c:4010
    #9 0x5d09947aa62d in cmd_trace
/root/hw/linux-perf/tools/perf/builtin-trace.c:5073
    #10 0x5d09947b6eed in run_builtin /root/hw/linux-perf/tools/perf/perf.c:350
    #11 0x5d09947b7518 in handle_internal_command
/root/hw/linux-perf/tools/perf/perf.c:403
    #12 0x5d09947b77ef in run_argv /root/hw/linux-perf/tools/perf/perf.c:447
    #13 0x5d09947b7d5e in main /root/hw/linux-perf/tools/perf/perf.c:561
    #14 0x7ec47642a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7ec47642a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #16 0x5d0994615d34 in _start
(/root/hw/linux-perf/tools/perf/perf+0x4bdd34) (BuildId:
791904aaae2afa7e7ad7e3aa80a32b71e824abcf)

As seen above, I encountered the same runtime error of misalignment as
you did in https://lore.kernel.org/all/Z2STgyD1p456Qqhg@google.com/,
not just in time_spec.c, but also in the access of augmented_arg in
builtin-trace.c.

On Thu, Jan 2, 2025 at 12:12 PM Namhyung Kim <namhyung@...nel.org> wrote:
>
> Some version of compilers reported unaligned accesses in perf trace when
> undefined-behavior sanitizer is on.  I found that it uses raw data in the
> sample directly and assuming it's properly aligned.
>
> Unlike other sample fields, the raw data is not 8-byte aligned because
> there's a size field (u32) before the actual data.  So I added a static
> buffer in syscall__augmented_args() and return it instead.  This is not
> ideal but should work well as perf trace is single-threaded.
>
> A better approach would be aligning the raw data by adding a 4-byte data
> before the augmented args but I'm afraid it'd break the backward
> compatibility.

Can you explain backward compatibility? Do you mean the 'perf trace
record' and its perf data file?

With your patch attached:

perf $ UBSAN_OPTIONS=print_stacktrace=1 ./perf trace -e
clock_nanosleep -- sleep 1
builtin-trace.c:1966:35: runtime error: index 6 out of bounds for type
'syscall_arg_fmt [6]'
    #0 0x577f3fc3d18c in syscall__alloc_arg_fmts
/root/hw/linux-perf/tools/perf/builtin-trace.c:1966
    #1 0x577f3fc3f0c1 in trace__read_syscall_info
/root/hw/linux-perf/tools/perf/builtin-trace.c:2129
    #2 0x577f3fc422ff in trace__syscall_info
/root/hw/linux-perf/tools/perf/builtin-trace.c:2466
    #3 0x577f3fc51b30 in trace__init_syscalls_bpf_prog_array_maps
/root/hw/linux-perf/tools/perf/builtin-trace.c:3927
    #4 0x577f3fc5591c in trace__run
/root/hw/linux-perf/tools/perf/builtin-trace.c:4365
    #5 0x577f3fc5fd48 in cmd_trace
/root/hw/linux-perf/tools/perf/builtin-trace.c:5532
    #6 0x577f3fc6c697 in run_builtin /root/hw/linux-perf/tools/perf/perf.c:351
    #7 0x577f3fc6ccc2 in handle_internal_command
/root/hw/linux-perf/tools/perf/perf.c:404
    #8 0x577f3fc6cf99 in run_argv /root/hw/linux-perf/tools/perf/perf.c:448
    #9 0x577f3fc6d503 in main /root/hw/linux-perf/tools/perf/perf.c:560
    #10 0x72edf8a2a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x72edf8a2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #12 0x577f3fac12c4 in _start
(/root/hw/linux-perf/tools/perf/perf+0x4e82c4) (BuildId:
bca8e50b69a43c91b4d187140c12c6608770d99e)

     0.000 (1000.225 ms): sleep/330971 clock_nanosleep(rqtp: {
.tv_sec: 1, .tv_nsec: 0 }, rmtp: 0x7fff11ba9dc0) = 0

No more misalignment, and I'll fix the index-out-of-bound bug.

Reviewed-by: Howard Chu <howardchu95@...il.com>

Thanks
Howard

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ