From: Ian Rogers <irogers@google.com>
To: John Garry <john.g.garry@oracle.com>,
Will Deacon <will@kernel.org>, James Clark <james.clark@arm.com>,
Mike Leach <mike.leach@linaro.org>, Leo Yan <leo.yan@linaro.org>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>, Namhyung Kim <namhyung@kernel.org>,
Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
"Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>,
Kan Liang <kan.liang@linux.intel.com>,
German Gomez <german.gomez@arm.com>,
Ali Saidi <alisaidi@amazon.com>,
Jing Zhang <renyu.zj@linux.alibaba.com>,
Athira Rajeev <atrajeev@linux.vnet.ibm.com>,
Miguel Ojeda <ojeda@kernel.org>,
ye xingchen <ye.xingchen@zte.com.cn>,
Liam Howlett <liam.howlett@oracle.com>,
Dmitrii Dolgov <9erthalion6@gmail.com>,
Yang Jihong <yangjihong1@huawei.com>,
K Prateek Nayak <kprateek.nayak@amd.com>,
Changbin Du <changbin.du@huawei.com>,
Ravi Bangoria <ravi.bangoria@amd.com>,
Sean Christopherson <seanjc@google.com>,
Andi Kleen <ak@linux.intel.com>,
"Steinar H. Gunderson" <sesse@google.com>,
Yuan Can <yuancan@huawei.com>,
Brian Robbins <brianrob@linux.microsoft.com>,
liuwenyu <liuwenyu7@huawei.com>,
Ivan Babrou <ivan@cloudflare.com>,
Fangrui Song <maskray@google.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-perf-users@vger.kernel.org, coresight@lists.linaro.org
Subject: [PATCH v2 23/26] perf header: Avoid out-of-bounds read
Date: Thu, 8 Jun 2023 16:28:20 -0700 [thread overview]
Message-ID: <20230608232823.4027869-24-irogers@google.com> (raw)
In-Reply-To: <20230608232823.4027869-1-irogers@google.com>
intel-pt tests were failing:
```
...
--- Test virtual LBR ---
Linux
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.126 MB /tmp/perf-test-intel-pt-sh.FW57CXnCqQ/test-perf.data ]
Failed with virtual lbr
...
```
The root cause is an out-of-bounds read in header (where maxbrstack.py
is from test_intel_pt.sh):
```
$ perf --no-pager script --itrace=L -s maxbrstack.py
=================================================================
==3907930==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000095a8 at pc 0x563c26c840bb bp 0x7fff43582710 sp 0x7fff43582708
READ of size 4 at 0x6020000095a8 thread T0
#0 0x563c26c840ba in process_group_desc util/header.c:2847
#1 0x563c26c8bc78 in perf_file_section__process util/header.c:4037
#2 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813
#3 0x563c26c8d028 in perf_session__read_header util/header.c:4286
#4 0x563c26cbab29 in perf_session__open util/session.c:113
#5 0x563c26cbb3d0 in __perf_session__new util/session.c:221
#6 0x563c26aacb14 in perf_session__new util/session.h:73
#7 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212
#8 0x563c26bb58ff in run_builtin tools/perf/perf.c:323
#9 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377
#10 0x563c26bb6238 in run_argv tools/perf/perf.c:421
#11 0x563c26bb67a0 in main tools/perf/perf.c:537
#12 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x7f34bde46244 in __libc_start_main_impl ../csu/libc-start.c:381
#14 0x563c26a33390 in _start (/tmp/perf/perf+0x1eb390)
0x6020000095a8 is located 8 bytes to the right of 16-byte region [0x602000009590,0x6020000095a0)
allocated by thread T0 here:
#0 0x7f34beeb83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x563c26c83df8 in process_group_desc util/header.c:2824
#2 0x563c26c8bc78 in perf_file_section__process util/header.c:4037
#3 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813
#4 0x563c26c8d028 in perf_session__read_header util/header.c:4286
#5 0x563c26cbab29 in perf_session__open util/session.c:113
#6 0x563c26cbb3d0 in __perf_session__new util/session.c:221
#7 0x563c26aacb14 in perf_session__new util/session.h:73
#8 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212
#9 0x563c26bb58ff in run_builtin tools/perf/perf.c:323
#10 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377
#11 0x563c26bb6238 in run_argv tools/perf/perf.c:421
#12 0x563c26bb67a0 in main tools/perf/perf.c:537
#13 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
```
Avoid the out-of-bounds read checking for the leader. Leave the 'nr'
check intact as nr will be 0 or the counting down and evsel be a group
member.
Signed-off-by: Ian Rogers <irogers@google.com>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 3db7c1fae71e..52fbf526fe74 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -2844,7 +2844,7 @@ static int process_group_desc(struct feat_fd *ff, void *data __maybe_unused)
i = nr = 0;
evlist__for_each_entry(session->evlist, evsel) {
- if (evsel->core.idx == (int) desc[i].leader_idx) {
+ if (i < nr_groups && evsel->core.idx == (int) desc[i].leader_idx) {
evsel__set_leader(evsel, evsel);
/* {anon_group} is a dummy name */
if (strcmp(desc[i].name, "{anon_group}")) {
--
2.41.0.162.gfafddb0af9-goog
next prev parent reply other threads:[~2023-06-08 23:31 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-08 23:27 [PATCH v2 00/26] Fix memory leaks (was reference count checking for thread) Ian Rogers
2023-06-08 23:27 ` [PATCH v2 01/26] perf thread: Remove notion of dead threads Ian Rogers
2023-06-08 23:27 ` [PATCH v2 02/26] perf thread: Make threads rbtree non-invasive Ian Rogers
2023-06-09 14:13 ` Arnaldo Carvalho de Melo
2023-06-08 23:28 ` [PATCH v2 03/26] perf thread: Add accessor functions for thread Ian Rogers
2023-06-09 14:15 ` Arnaldo Carvalho de Melo
2023-06-09 14:50 ` Arnaldo Carvalho de Melo
2023-06-08 23:28 ` [PATCH v2 04/26] perf maps: Make delete static, always use put Ian Rogers
2023-06-09 14:17 ` Arnaldo Carvalho de Melo
2023-06-08 23:28 ` [PATCH v2 05/26] perf addr_location: Move to its own header Ian Rogers
2023-06-09 14:18 ` Arnaldo Carvalho de Melo
2023-06-08 23:28 ` [PATCH v2 06/26] perf addr_location: Add init/exit/copy functions Ian Rogers
2023-06-09 19:48 ` Arnaldo Carvalho de Melo
2023-06-08 23:28 ` [PATCH v2 07/26] perf thread: Add reference count checking Ian Rogers
2023-06-08 23:28 ` [PATCH v2 08/26] perf machine: Make delete_threads part of machine__exit Ian Rogers
2023-06-08 23:28 ` [PATCH v2 09/26] perf report: Avoid thread leak Ian Rogers
2023-06-08 23:28 ` [PATCH v2 10/26] perf header: Ensure bitmaps are freed Ian Rogers
2023-06-08 23:28 ` [PATCH v2 11/26] perf stat: Avoid evlist leak Ian Rogers
2023-06-08 23:28 ` [PATCH v2 12/26] perf intel-pt: Fix missed put and leak Ian Rogers
2023-06-08 23:28 ` [PATCH v2 13/26] perf evlist: Free stats in all evlist destruction Ian Rogers
2023-06-08 23:28 ` [PATCH v2 14/26] perf python: Avoid 2 leak sanitizer issues Ian Rogers
2023-06-08 23:28 ` [PATCH v2 15/26] perf jit: Fix two thread leaks Ian Rogers
2023-06-08 23:28 ` [PATCH v2 16/26] perf symbol-elf: Correct holding a reference Ian Rogers
2023-06-08 23:28 ` [PATCH v2 17/26] perf maps: Fix overlapping memory leak Ian Rogers
2023-06-08 23:28 ` [PATCH v2 18/26] perf machine: Fix leak of kernel dso Ian Rogers
2023-06-08 23:28 ` [PATCH v2 19/26] perf machine: Don't leak module maps Ian Rogers
2023-06-08 23:28 ` [PATCH v2 20/26] perf map/maps/thread: Changes to reference counting Ian Rogers
2023-06-08 23:28 ` [PATCH v2 21/26] perf annotate: Fix parse_objdump_line memory leak Ian Rogers
2023-06-08 23:28 ` [PATCH v2 22/26] perf top: Add exit routine for main thread Ian Rogers
2023-06-08 23:28 ` Ian Rogers [this message]
2023-06-08 23:28 ` [PATCH v2 24/26] perf callchain: Use pthread keys for tls callchain_cursor Ian Rogers
2023-06-09 19:49 ` Arnaldo Carvalho de Melo
2023-06-08 23:28 ` [PATCH v2 25/26] perf srcline: Change free_srcline to zfree_srcline Ian Rogers
2023-06-08 23:28 ` [PATCH v2 26/26] perf hist: Fix srcline memory leak Ian Rogers
2023-06-12 14:13 ` Arnaldo Carvalho de Melo
2023-06-12 14:16 ` Arnaldo Carvalho de Melo
2023-06-12 14:46 ` Ian Rogers
2023-06-12 17:23 ` Arnaldo Carvalho de Melo
2023-06-12 21:16 ` Andi Kleen
2023-06-12 21:30 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230608232823.4027869-24-irogers@google.com \
--to=irogers@google.com \
--cc=9erthalion6@gmail.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=alisaidi@amazon.com \
--cc=atrajeev@linux.vnet.ibm.com \
--cc=brianrob@linux.microsoft.com \
--cc=changbin.du@huawei.com \
--cc=coresight@lists.linaro.org \
--cc=german.gomez@arm.com \
--cc=ivan@cloudflare.com \
--cc=james.clark@arm.com \
--cc=john.g.garry@oracle.com \
--cc=jolsa@kernel.org \
--cc=kan.liang@linux.intel.com \
--cc=kprateek.nayak@amd.com \
--cc=leo.yan@linaro.org \
--cc=liam.howlett@oracle.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=liuwenyu7@huawei.com \
--cc=mark.rutland@arm.com \
--cc=maskray@google.com \
--cc=mike.leach@linaro.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=naveen.n.rao@linux.vnet.ibm.com \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=ravi.bangoria@amd.com \
--cc=renyu.zj@linux.alibaba.com \
--cc=seanjc@google.com \
--cc=sesse@google.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yangjihong1@huawei.com \
--cc=ye.xingchen@zte.com.cn \
--cc=yuancan@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).