Commit 98e1da90 authored by Frederic Weisbecker's avatar Frederic Weisbecker

perf tools: Robustify dynamic sample content fetch

Ensure the size of the dynamic fields such as callchains
or raw events don't overlap the whole event boundaries.

This prevents from dereferencing junk if the given size of
the callchain goes too eager.
Reported-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Reported-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Stephane Eranian <eranian@google.com>
parent a2854124
...@@ -303,6 +303,17 @@ static int perf_event__parse_id_sample(const union perf_event *event, u64 type, ...@@ -303,6 +303,17 @@ static int perf_event__parse_id_sample(const union perf_event *event, u64 type,
return 0; return 0;
} }
static bool sample_overlap(const union perf_event *event,
const void *offset, u64 size)
{
const void *base = event;
if (offset + size > base + event->header.size)
return true;
return false;
}
int perf_event__parse_sample(const union perf_event *event, u64 type, int perf_event__parse_sample(const union perf_event *event, u64 type,
int sample_size, bool sample_id_all, int sample_size, bool sample_id_all,
struct perf_sample *data) struct perf_sample *data)
...@@ -373,14 +384,29 @@ int perf_event__parse_sample(const union perf_event *event, u64 type, ...@@ -373,14 +384,29 @@ int perf_event__parse_sample(const union perf_event *event, u64 type,
} }
if (type & PERF_SAMPLE_CALLCHAIN) { if (type & PERF_SAMPLE_CALLCHAIN) {
if (sample_overlap(event, array, sizeof(data->callchain->nr)))
return -EFAULT;
data->callchain = (struct ip_callchain *)array; data->callchain = (struct ip_callchain *)array;
if (sample_overlap(event, array, data->callchain->nr))
return -EFAULT;
array += 1 + data->callchain->nr; array += 1 + data->callchain->nr;
} }
if (type & PERF_SAMPLE_RAW) { if (type & PERF_SAMPLE_RAW) {
u32 *p = (u32 *)array; u32 *p = (u32 *)array;
if (sample_overlap(event, array, sizeof(u32)))
return -EFAULT;
data->raw_size = *p; data->raw_size = *p;
p++; p++;
if (sample_overlap(event, p, data->raw_size))
return -EFAULT;
data->raw_data = p; data->raw_data = p;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment