diff options
| author | Ian Rogers <[email protected]> | 2023-06-08 16:28:20 -0700 |
|---|---|---|
| committer | Arnaldo Carvalho de Melo <[email protected]> | 2023-06-12 15:57:54 -0300 |
| commit | d7ba60a4e590f79e6f28c0fb47d4a862656b1d70 (patch) | |
| tree | 77d4410bb03979ad9c2ce31c9b5c41705e0954e4 | |
| parent | cddeeeda8fba4156255abf5a1d8c2517de8db0cd (diff) | |
perf header: Avoid out-of-bounds read
intel-pt tests were failing:
-- Test virtual LBR ---
Linux
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.126 MB /tmp/perf-test-intel-pt-sh.FW57CXnCqQ/test-perf.data ]
Failed with virtual lbr
...
```
The root cause is an out-of-bounds read in header (where maxbrstack.py
is from test_intel_pt.sh):
```
$ perf --no-pager script --itrace=L -s maxbrstack.py
=================================================================
==3907930==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000095a8 at pc 0x563c26c840bb bp 0x7fff43582710 sp 0x7fff43582708
READ of size 4 at 0x6020000095a8 thread T0
#0 0x563c26c840ba in process_group_desc util/header.c:2847
#1 0x563c26c8bc78 in perf_file_section__process util/header.c:4037
#2 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813
#3 0x563c26c8d028 in perf_session__read_header util/header.c:4286
#4 0x563c26cbab29 in perf_session__open util/session.c:113
#5 0x563c26cbb3d0 in __perf_session__new util/session.c:221
#6 0x563c26aacb14 in perf_session__new util/session.h:73
#7 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212
#8 0x563c26bb58ff in run_builtin tools/perf/perf.c:323
#9 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377
#10 0x563c26bb6238 in run_argv tools/perf/perf.c:421
#11 0x563c26bb67a0 in main tools/perf/perf.c:537
#12 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x7f34bde46244 in __libc_start_main_impl ../csu/libc-start.c:381
#14 0x563c26a33390 in _start (/tmp/perf/perf+0x1eb390)
0x6020000095a8 is located 8 bytes to the right of 16-byte region [0x602000009590,0x6020000095a0)
allocated by thread T0 here:
#0 0x7f34beeb83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x563c26c83df8 in process_group_desc util/header.c:2824
#2 0x563c26c8bc78 in perf_file_section__process util/header.c:4037
#3 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813
#4 0x563c26c8d028 in perf_session__read_header util/header.c:4286
#5 0x563c26cbab29 in perf_session__open util/session.c:113
#6 0x563c26cbb3d0 in __perf_session__new util/session.c:221
#7 0x563c26aacb14 in perf_session__new util/session.h:73
#8 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212
#9 0x563c26bb58ff in run_builtin tools/perf/perf.c:323
#10 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377
#11 0x563c26bb6238 in run_argv tools/perf/perf.c:421
#12 0x563c26bb67a0 in main tools/perf/perf.c:537
#13 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
```
Avoid the out-of-bounds read checking for the leader. Leave the 'nr'
check intact as nr will be 0 or the counting down and evsel be a group
member.
Signed-off-by: Ian Rogers <[email protected]>
Cc: Adrian Hunter <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Ali Saidi <[email protected]>
Cc: Andi Kleen <[email protected]>
Cc: Athira Rajeev <[email protected]>
Cc: Brian Robbins <[email protected]>
Cc: Changbin Du <[email protected]>
Cc: Dmitrii Dolgov <[email protected]>
Cc: Fangrui Song <[email protected]>
Cc: German Gomez <[email protected]>
Cc: Ian Rogers <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Ivan Babrou <[email protected]>
Cc: James Clark <[email protected]>
Cc: Jing Zhang <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: John Garry <[email protected]>
Cc: K Prateek Nayak <[email protected]>
Cc: Kan Liang <[email protected]>
Cc: Leo Yan <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: Mark Rutland <[email protected]>
Cc: Miguel Ojeda <[email protected]>
Cc: Mike Leach <[email protected]>
Cc: Namhyung Kim <[email protected]>
Cc: Naveen N. Rao <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Ravi Bangoria <[email protected]>
Cc: Sean Christopherson <[email protected]>
Cc: Steinar H. Gunderson <[email protected]>
Cc: Suzuki Poulouse <[email protected]>
Cc: Wenyu Liu <[email protected]>
Cc: Will Deacon <[email protected]>
Cc: Yang Jihong <[email protected]>
Cc: Ye Xingchen <[email protected]>
Cc: Yuan Can <[email protected]>
Cc: [email protected]
Link: https://lore.kernel.org/lkml/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
| -rw-r--r-- | tools/perf/util/header.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index 3db7c1fae71e..52fbf526fe74 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -2844,7 +2844,7 @@ static int process_group_desc(struct feat_fd *ff, void *data __maybe_unused) i = nr = 0; evlist__for_each_entry(session->evlist, evsel) { - if (evsel->core.idx == (int) desc[i].leader_idx) { + if (i < nr_groups && evsel->core.idx == (int) desc[i].leader_idx) { evsel__set_leader(evsel, evsel); /* {anon_group} is a dummy name */ if (strcmp(desc[i].name, "{anon_group}")) { |