lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aBTzkQctM8p2HsVw@x1>
Date: Fri, 2 May 2025 13:32:17 -0300
From: Arnaldo Carvalho de Melo <acme@...nel.org>
To: Namhyung Kim <namhyung@...nel.org>
Cc: Ian Rogers <irogers@...gle.com>, Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...hat.com>, Mark Rutland <mark.rutland@....com>,
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
	Jiri Olsa <jolsa@...nel.org>,
	Adrian Hunter <adrian.hunter@...el.com>,
	Kan Liang <kan.liang@...ux.intel.com>,
	linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] perf symbol-minimal: Fix double free in
 filename__read_build_id

On Thu, May 01, 2025 at 01:25:27PM -0700, Namhyung Kim wrote:
> Hi Ian,
> 
> On Thu, May 01, 2025 at 12:00:03AM -0700, Ian Rogers wrote:
> > Running the "perf script task-analyzer tests" with address sanitizer
> > showed a double free:
> > ```
> > FAIL: "test_csv_extended_times" Error message: "Failed to find required string:'Out-Out;'."
> > =================================================================
> > ==19190==ERROR: AddressSanitizer: attempting double-free on 0x50b000017b10 in thread T0:
> >     #0 0x55da9601c78a in free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a)
> >     #1 0x55da96640c63 in filename__read_build_id tools/perf/util/symbol-minimal.c:221:2
> > 
> > 0x50b000017b10 is located 0 bytes inside of 112-byte region [0x50b000017b10,0x50b000017b80)
> > freed by thread T0 here:
> >     #0 0x55da9601ce40 in realloc (perf+0x260e40) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a)
> >     #1 0x55da96640ad6 in filename__read_build_id tools/perf/util/symbol-minimal.c:204:10
> > 
> > previously allocated by thread T0 here:
> >     #0 0x55da9601ca23 in malloc (perf+0x260a23) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a)
> >     #1 0x55da966407e7 in filename__read_build_id tools/perf/util/symbol-minimal.c:181:9
> > 
> > SUMMARY: AddressSanitizer: double-free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) in free
> > ==19190==ABORTING
> > FAIL: "invocation of perf script report task-analyzer --csv-summary csvsummary --summary-extended command failed" Error message: ""
> > FAIL: "test_csvsummary_extended" Error message: "Failed to find required string:'Out-Out;'."
> > ---- end(-1) ----
> > 132: perf script task-analyzer tests                                 : FAILED!
> > ```
> > 
> > The buf_size if always set to phdr->p_filesz, but that may be 0
> > causing a free and realloc to return NULL. This is treated in
> > filename__read_build_id like a failure and the buffer is freed again.
> > 
> > To avoid this problem only grow buf, meaning the buf_size will never
> > be 0. This also reduces the number of memory (re)allocations.
> 
> Thanks for fixing this!
> 
> Acked-by: Namhyung Kim <namhyung@...nel.org>

Thanks, applied to perf-tools-next,

- Arnaldo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ