Skip to content

L
linux
Switch branch/tag
Find file BlameHistoryPermalink
  • Ian Rogers's avatar
    perf header: Avoid out-of-bounds read · d7ba60a4
    Ian Rogers authored 
    intel-pt tests were failing:

  -- Test virtual LBR ---
  Linux
  [ perf record: Woken up 1 times to write data ]
  [ perf record: Captured and wrote 0.126 MB /tmp/perf-test-intel-pt-sh.FW57CXnCqQ/test-perf.data ]
  Failed with virtual lbr
  ...
  ```

  The root cause is an out-of-bounds read in header (where maxbrstack.py
  is from test_intel_pt.sh):
  ```
  $ perf --no-pager script --itrace=L -s maxbrstack.py
  =================================================================
  ==3907930==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000095a8 at pc 0x563c26c840bb bp 0x7fff43582710 sp 0x7fff43582708
  READ of size 4 at 0x6020000095a8 thread T0
      #0 0x563c26c840ba in process_group_desc util/header.c:2847
      #1 0x563c26c8bc78 in perf_file_section__process util/header.c:4037
      #2 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813
      #3 0x563c26c8d028 in perf_session__read_header util/header.c:4286
      #4 0x563c26cbab29 in perf_session__open util/session.c:113
      #5 0x563c26cbb3d0 in __perf_session__new util/session.c:221
      #6 0x563c26aacb14 in perf_session__new util/session.h:73
      #7 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212
      #8 0x563c26bb58ff in run_builtin tools/perf/perf.c:323
      #9 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377
      #10 0x563c26bb6238 in run_argv tools/perf/perf.c:421
      #11 0x563c26bb67a0 in main tools/perf/perf.c:537
      #12 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      #13 0x7f34bde46244 in __libc_start_main_impl ../csu/libc-start.c:381
      #14 0x563c26a33390 in _start (/tmp/perf/perf+0x1eb390)

  0x6020000095a8 is located 8 bytes to the right of 16-byte region [0x602000009590,0x6020000095a0)
  allocated by thread T0 here:
      #0 0x7f34beeb83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
      #1 0x563c26c83df8 in process_group_desc util/header.c:2824
      #2 0x563c26c8bc78 in perf_file_section__process util/header.c:4037
      #3 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813
      #4 0x563c26c8d028 in perf_session__read_header util/header.c:4286
      #5 0x563c26cbab29 in perf_session__open util/session.c:113
      #6 0x563c26cbb3d0 in __perf_session__new util/session.c:221
      #7 0x563c26aacb14 in perf_session__new util/session.h:73
      #8 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212
      #9 0x563c26bb58ff in run_builtin tools/perf/perf.c:323
      #10 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377
      #11 0x563c26bb6238 in run_argv tools/perf/perf.c:421
      #12 0x563c26bb67a0 in main tools/perf/perf.c:537
      #13 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  ```

Avoid the out-of-bounds read checking for the leader. Leave the 'nr'
check intact as nr will be 0 or the counting down and evsel be a group
member.
Signed-off-by: default avatarIan Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ali Saidi <alisaidi@amazon.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Cc: Brian Robbins <brianrob@linux.microsoft.com>
Cc: Changbin Du <changbin.du@huawei.com>
Cc: Dmitrii Dolgov <9erthalion6@gmail.com>
Cc: Fangrui Song <maskray@google.com>
Cc: German Gomez <german.gomez@arm.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Ivan Babrou <ivan@cloudflare.com>
Cc: James Clark <james.clark@arm.com>
Cc: Jing Zhang <renyu.zj@linux.alibaba.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: John Garry <john.g.garry@oracle.com>
Cc: K Prateek Nayak <kprateek.nayak@amd.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Steinar H. Gunderson <sesse@google.com>
Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
Cc: Wenyu Liu <liuwenyu7@huawei.com>
Cc: Will Deacon <will@kernel.org>
Cc: Yang Jihong <yangjihong1@huawei.com>
Cc: Ye Xingchen <ye.xingchen@zte.com.cn>
Cc: Yuan Can <yuancan@huawei.com>
Cc: linux-arm-kernel@lists.infradead.org
Link: https://lore.kernel.org/lkml/20230608232823.4027869-24-irogers@google.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
    d7ba60a4
header.c 96.8 KB
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7