lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAH0uvog74tVNjKXZdu+pvg-7CnsuVugEb-XpF6Xcqzc9jzWSAw@mail.gmail.com>
Date: Thu, 23 Jan 2025 20:30:25 -0800
From: Howard Chu <howardchu95@...il.com>
To: Namhyung Kim <namhyung@...nel.org>
Cc: acme@...nel.org, jolsa@...nel.org, irogers@...gle.com, 
	adrian.hunter@...el.com, linux-perf-users@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] perf trace: Fix runtime error of index out of bounds

Hello again,

On Wed, Jan 22, 2025 at 11:11 AM Namhyung Kim <namhyung@...nel.org> wrote:
>
> On Tue, Jan 21, 2025 at 06:55:19PM -0800, Howard Chu wrote:
> > libtraceevent parses and returns an array of argument fields, sometimes
> > larger than RAW_SYSCALL_ARGS_NUM (6) because it includes "__syscall_nr",
> > idx will traverse to index 6 (7th element) whereas sc->fmt->arg holds 6
> > elements max, creating an out-of-bounds access. This runtime error is
> > found by UBsan. The error message:
>
> I'm curious how I miss this.  Is this only for some specific syscalls or
> always happening?  Do you which commit introduced this?

Forgot to mention the commit: it is (5e58fcfaf4c6: 'perf trace: Allow
allocating sc->arg_fmt even without the syscall tracepoint') that
introduced the bug. However, I wasn't able to build the perf tool at
this commit because it dates back to 2017, so I couldn’t bisect and
test it.

As for the runtime error, it occurs with the first 6-argument syscall
that calls the syscall__alloc_arg_fmts() function and causes the
out-of-bounds access. That’s going to be the futex syscall. If I skip
the futex syscall, mmap is next.

static int syscall__alloc_arg_fmts(struct syscall *sc, int nr_args)

** the 'nr_args' passed in can be 7

{
        int idx;

        if (nr_args == RAW_SYSCALL_ARGS_NUM && sc->fmt && sc->fmt->nr_args != 0)
                nr_args = sc->fmt->nr_args;

        sc->arg_fmt = calloc(nr_args, sizeof(*sc->arg_fmt));

        ** arg_fmt has 7 elements

        if (sc->arg_fmt == NULL)
                return -1;

        for (idx = 0; idx < nr_args; ++idx) {

                ** idx can be 6 (7th element), legal access for sc->arg_fmt
                ** but not for sc->fmt->arg, length of 6

                if (sc->fmt)
                        sc->arg_fmt[idx] = sc->fmt->arg[idx];
        }

        sc->nr_args = nr_args;
        return 0;
}

Thanks,
Howard


On Wed, Jan 22, 2025 at 11:11 AM Namhyung Kim <namhyung@...nel.org> wrote:
>
> On Tue, Jan 21, 2025 at 06:55:19PM -0800, Howard Chu wrote:
> > libtraceevent parses and returns an array of argument fields, sometimes
> > larger than RAW_SYSCALL_ARGS_NUM (6) because it includes "__syscall_nr",
> > idx will traverse to index 6 (7th element) whereas sc->fmt->arg holds 6
> > elements max, creating an out-of-bounds access. This runtime error is
> > found by UBsan. The error message:
>
> I'm curious how I miss this.  Is this only for some specific syscalls or
> always happening?  Do you which commit introduced this?
>
> Thanks,
> Namhyung
>
> >
> > perf $ sudo UBSAN_OPTIONS=print_stacktrace=1 ./perf trace -a --max-events=1
> > builtin-trace.c:1966:35: runtime error: index 6 out of bounds for type 'syscall_arg_fmt [6]'
> >     #0 0x5c04956be5fe in syscall__alloc_arg_fmts /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:1966
> >     #1 0x5c04956c0510 in trace__read_syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2110
> >     #2 0x5c04956c372b in trace__syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2436
> >     #3 0x5c04956d2f39 in trace__init_syscalls_bpf_prog_array_maps /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:3897
> >     #4 0x5c04956d6d25 in trace__run /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:4335
> >     #5 0x5c04956e112e in cmd_trace /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:5502
> >     #6 0x5c04956eda7d in run_builtin /home/howard/hw/linux-perf/tools/perf/perf.c:351
> >     #7 0x5c04956ee0a8 in handle_internal_command /home/howard/hw/linux-perf/tools/perf/perf.c:404
> >     #8 0x5c04956ee37f in run_argv /home/howard/hw/linux-perf/tools/perf/perf.c:448
> >     #9 0x5c04956ee8e9 in main /home/howard/hw/linux-perf/tools/perf/perf.c:556
> >     #10 0x79eb3622a3b7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
> >     #11 0x79eb3622a47a in __libc_start_main_impl ../csu/libc-start.c:360
> >     #12 0x5c04955422d4 in _start (/home/howard/hw/linux-perf/tools/perf/perf+0x4e02d4) (BuildId: 5b6cab2d59e96a4341741765ad6914a4d784dbc6)
> >
> >      0.000 ( 0.014 ms): Chrome_ChildIO/117244 write(fd: 238, buf: !, count: 1)                                      = 1
> >
> > Signed-off-by: Howard Chu <howardchu95@...il.com>
> > ---
> >  tools/perf/builtin-trace.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
> > index d7c7d29291fb..8d3260bad10a 100644
> > --- a/tools/perf/builtin-trace.c
> > +++ b/tools/perf/builtin-trace.c
> > @@ -2108,7 +2108,7 @@ static int trace__read_syscall_info(struct trace *trace, int id)
> >       }
> >
> >       if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ?
> > -                                     RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields))
> > +                                     RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields - 1))
> >               return -ENOMEM;
> >
> >       sc->args = sc->tp_format->format.fields;
> > --
> > 2.45.2
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ