[PATCH 18/18] perf symbols: Fix use after free in filename__read_build_id

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org,
	Mitchell Krome <mitchellkrome@gmail.com>,
	Jiri Olsa <jolsa@kernel.org>, Ingo Molnar <mingo@redhat.com>,
	Jiri Olsa <jolsa@redhat.com>, Paul Mackerras <paulus@samba.org>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Arnaldo Carvalho de Melo <acme@redhat.com>
Subject: [PATCH 18/18] perf symbols: Fix use after free in filename__read_build_id
Date: Tue, 16 Dec 2014 13:57:20 -0300	[thread overview]
Message-ID: <1418749040-31807-19-git-send-email-acme@kernel.org> (raw)
In-Reply-To: <1418749040-31807-1-git-send-email-acme@kernel.org>

From: Mitchell Krome <mitchellkrome@gmail.com>

In filename__read_build_id, phdr points to memory in buf, which gets realloced
before a call to fseek that uses phdr->p_offset. This change stores the value
of p_offset before buf is realloced, so the fseek can use the value safely.

Signed-off-by: Mitchell Krome <mitchellkrome@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/20141216021612.GA7199@mitchell
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/symbol-minimal.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c
index fa585c63f56a..d7efb03b3f9a 100644
--- a/tools/perf/util/symbol-minimal.c
+++ b/tools/perf/util/symbol-minimal.c
@@ -129,6 +129,7 @@ int filename__read_build_id(const char *filename, void *bf, size_t size)
 
 		for (i = 0, phdr = buf; i < ehdr.e_phnum; i++, phdr++) {
 			void *tmp;
+			long offset;
 
 			if (need_swap) {
 				phdr->p_type = bswap_32(phdr->p_type);
@@ -140,12 +141,13 @@ int filename__read_build_id(const char *filename, void *bf, size_t size)
 				continue;
 
 			buf_size = phdr->p_filesz;
+			offset = phdr->p_offset;
 			tmp = realloc(buf, buf_size);
 			if (tmp == NULL)
 				goto out_free;
 
 			buf = tmp;
-			fseek(fp, phdr->p_offset, SEEK_SET);
+			fseek(fp, offset, SEEK_SET);
 			if (fread(buf, buf_size, 1, fp) != 1)
 				goto out_free;
 
@@ -178,6 +180,7 @@ int filename__read_build_id(const char *filename, void *bf, size_t size)
 
 		for (i = 0, phdr = buf; i < ehdr.e_phnum; i++, phdr++) {
 			void *tmp;
+			long offset;
 
 			if (need_swap) {
 				phdr->p_type = bswap_32(phdr->p_type);
@@ -189,12 +192,13 @@ int filename__read_build_id(const char *filename, void *bf, size_t size)
 				continue;
 
 			buf_size = phdr->p_filesz;
+			offset = phdr->p_offset;
 			tmp = realloc(buf, buf_size);
 			if (tmp == NULL)
 				goto out_free;
 
 			buf = tmp;
-			fseek(fp, phdr->p_offset, SEEK_SET);
+			fseek(fp, offset, SEEK_SET);
 			if (fread(buf, buf_size, 1, fp) != 1)
 				goto out_free;
 
-- 
1.9.3

next prev parent reply	other threads:[~2014-12-16 16:59 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-16 16:57 [GIT PULL 00/18] perf/core improvements and fixes Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 01/18] perf evlist: Fixup brown paper bag on "hint" for --mmap-pages cmdline arg Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 02/18] perf evlist: Clarify sterror_mmap variable names Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 03/18] perf evlist: Improve the strerror_mmap method Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 04/18] perf trace: Let the perf_evlist__mmap autosize the number of pages to use Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 05/18] perf evlist: Do not use hard coded value for a mmap_pages default Arnaldo Carvalho de Melo
2014-12-17 13:23   ` Jiri Olsa
2014-12-17 14:00     ` Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 06/18] tools: Move __ffs implementation to tools/include/asm-generic/bitops/__ffs.h Arnaldo Carvalho de Melo
2014-12-17 13:27   ` Jiri Olsa
2014-12-16 16:57 ` [PATCH 07/18] tools: Move code originally from linux/log2.h to tools/include/linux/ Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 08/18] tools: Move code originally from asm-generic/atomic.h into tools/include/asm-generic/ Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 09/18] tools: Whitespace prep patches for moving bitops.h Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 10/18] tools lib: Move asm-generic/bitops/find.h code to tools/include and tools/lib Arnaldo Carvalho de Melo
2014-12-17 13:41   ` Jiri Olsa
2014-12-17 14:04     ` Arnaldo Carvalho de Melo
2014-12-17 13:42   ` Jiri Olsa
2014-12-17 14:02     ` Arnaldo Carvalho de Melo
2014-12-17 14:48       ` Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 11/18] tools: Introduce asm-generic/bitops.h Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 12/18] tools: Move bitops.h from tools/perf/util to tools/ Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 13/18] tools: Adopt fls_long and deps Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 14/18] tools: Adopt rounddown_pow_of_two " Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 15/18] perf tools: Make the mmap length autotuning more robust Arnaldo Carvalho de Melo
2014-12-17 13:48   ` Jiri Olsa
2014-12-16 16:57 ` [PATCH 16/18] tools: Adopt roundup_pow_of_two Arnaldo Carvalho de Melo
2014-12-16 16:57 ` [PATCH 17/18] perf evlist: Use roundup_pow_of_two Arnaldo Carvalho de Melo
2014-12-16 16:57 ` Arnaldo Carvalho de Melo [this message]
2014-12-17 14:50 ` [GIT PULL 00/18] perf/core improvements and fixes Arnaldo Carvalho de Melo
2014-12-18  6:24   ` Ingo Molnar

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fa585c63f56 dfblob:d7efb03b3f9 )
 OR (
bs:"[PATCH 18/18] perf symbols: Fix use after free in filename__read_build_id" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1418749040-31807-19-git-send-email-acme@kernel.org \
    --to=acme@kernel.org \
    --cc=a.p.zijlstra@chello.nl \
    --cc=acme@redhat.com \
    --cc=jolsa@kernel.org \
    --cc=jolsa@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=mingo@redhat.com \
    --cc=mitchellkrome@gmail.com \
    --cc=paulus@samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.