From: Adrian Hunter <adrian.hunter@intel.com>
To: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: linux-kernel@vger.kernel.org, Jiri Olsa <jolsa@redhat.com>,
Namhyung Kim <namhyung@gmail.com>
Subject: [PATCH 4/5] perf session: Fix perf_session__peek_event()
Date: Tue, 19 May 2015 16:05:45 +0300 [thread overview]
Message-ID: <1432040746-1755-5-git-send-email-adrian.hunter@intel.com> (raw)
In-Reply-To: <1432040746-1755-1-git-send-email-adrian.hunter@intel.com>
perf_session__peek_event() generally leverages there
being a single mmap of the perf.data file, however on
32-bit platforms when there is more that 32MiB of
data, then there are multiple mmaps, so
perf_session__peek_event() reads from the file.
In that case a couple of bugs were exposed (note
how the seg. fault appears with >32M of data):
$ perf record --per-thread -e intel_bts// ../rtit-tests/loopy 1000000
[ perf record: Woken up 13 times to write data ]
[ perf record: Captured and wrote 24.568 MB perf.data ]
$ perf script > /dev/null
$ perf record --per-thread -e intel_bts// ../rtit-tests/loopy 10000000
[ perf record: Woken up 136 times to write data ]
[ perf record: Captured and wrote 270.794 MB perf.data ]
$ perf script > /dev/null
Segmentation fault (core dumped)
The wrong address was being passed to the readn() function and
the buffer size was not being checked.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
---
tools/perf/util/session.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index e722107..39fe09d 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -1182,7 +1182,7 @@ int perf_session__peek_event(struct perf_session *session, off_t file_offset,
return -1;
if (lseek(fd, file_offset, SEEK_SET) == (off_t)-1 ||
- readn(fd, &buf, hdr_sz) != (ssize_t)hdr_sz)
+ readn(fd, buf, hdr_sz) != (ssize_t)hdr_sz)
return -1;
event = (union perf_event *)buf;
@@ -1190,12 +1190,12 @@ int perf_session__peek_event(struct perf_session *session, off_t file_offset,
if (session->header.needs_swap)
perf_event_header__bswap(&event->header);
- if (event->header.size < hdr_sz)
+ if (event->header.size < hdr_sz || event->header.size > buf_sz)
return -1;
rest = event->header.size - hdr_sz;
- if (readn(fd, &buf, rest) != (ssize_t)rest)
+ if (readn(fd, buf, rest) != (ssize_t)rest)
return -1;
if (session->header.needs_swap)
--
1.9.1
next prev parent reply other threads:[~2015-05-19 13:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 13:05 [PATCH 0/5] perf tools: Some fixes Adrian Hunter
2015-05-19 13:05 ` [PATCH 1/5] perf tools: Fix function declarations needed by parse-events.y Adrian Hunter
2015-05-27 16:45 ` [tip:perf/core] " tip-bot for Adrian Hunter
2015-05-19 13:05 ` [PATCH 2/5] perf build: Fix libunwind feature detection on 32-bit x86 Adrian Hunter
2015-05-27 16:46 ` [tip:perf/core] " tip-bot for Adrian Hunter
2015-05-19 13:05 ` [PATCH 3/5] perf tools: Fix parse_events_error dereferences Adrian Hunter
2015-05-27 16:46 ` [tip:perf/core] " tip-bot for Adrian Hunter
2015-05-19 13:05 ` Adrian Hunter [this message]
2015-05-27 16:46 ` [tip:perf/core] perf session: Fix perf_session__peek_event() tip-bot for Adrian Hunter
2015-05-19 13:05 ` [PATCH 5/5] perf tools: Fix data_read_offset() file opening Adrian Hunter
2015-05-19 14:48 ` Namhyung Kim
2015-05-19 19:58 ` Adrian Hunter
2015-05-20 0:44 ` Namhyung Kim
2015-05-20 0:55 ` Arnaldo Carvalho de Melo
2015-05-19 14:00 ` [PATCH 0/5] perf tools: Some fixes Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432040746-1755-5-git-send-email-adrian.hunter@intel.com \
--to=adrian.hunter@intel.com \
--cc=acme@kernel.org \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=namhyung@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.