From: Jiri Olsa <jolsa@redhat.com>
To: Andi Kleen <andi@firstfloor.org>
Cc: acme@kernel.org, jolsa@kernel.org, linux-kernel@vger.kernel.org,
Andi Kleen <ak@linux.intel.com>
Subject: Re: [PATCH v2 02/19] perf, tools: Fix buffer overflow while freeing events
Date: Tue, 22 Aug 2017 10:20:22 +0200 [thread overview]
Message-ID: <20170822082022.GB23985@krava> (raw)
In-Reply-To: <20170811232634.30465-2-andi@firstfloor.org>
On Fri, Aug 11, 2017 at 04:26:17PM -0700, Andi Kleen wrote:
> From: Andi Kleen <ak@linux.intel.com>
>
> Fix buffer overflow for
>
> % perf stat -e msr/tsc/,cstate_core/c7-residency/ true
>
> that causes glibc free list corruption. For some reason
> it doesn't trigger in valgrind, but it is visible in AS:
>
> =================================================================
> ==32681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000003f5c at pc 0x0000005671ef bp 0x7ffdaaac9ac0 sp 0x7ffdaaac9ab0
> READ of size 4 at 0x603000003f5c thread T0
> #0 0x5671ee in perf_evsel__close_fd util/evsel.c:1196
> #1 0x56c57a in perf_evsel__close util/evsel.c:1717
> #2 0x55ed5f in perf_evlist__close util/evlist.c:1631
> #3 0x4647e1 in __run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:749
> #4 0x4648e3 in run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:767
> #5 0x46e1bc in cmd_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:2785
> #6 0x52f83d in run_builtin /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:296
> #7 0x52fd49 in handle_internal_command /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:348
> #8 0x5300de in run_argv /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:392
> #9 0x5308f3 in main /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:530
> #10 0x7f0672d13400 in __libc_start_main (/lib64/libc.so.6+0x20400)
> #11 0x428419 in _start (/home/ak/hle/obj-perf/perf+0x428419)
>
> 0x603000003f5c is located 0 bytes to the right of 28-byte region [0x603000003f40,0x603000003f5c)
> allocated by thread T0 here:
> #0 0x7f0675139020 in calloc (/lib64/libasan.so.3+0xc7020)
> #1 0x648a2d in zalloc util/util.h:23
> #2 0x648a88 in xyarray__new util/xyarray.c:9
> #3 0x566419 in perf_evsel__alloc_fd util/evsel.c:1039
> #4 0x56b427 in perf_evsel__open util/evsel.c:1529
> #5 0x56c620 in perf_evsel__open_per_thread util/evsel.c:1730
> #6 0x461dea in create_perf_stat_counter /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:263
> #7 0x4637d7 in __run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:600
> #8 0x4648e3 in run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:767
> #9 0x46e1bc in cmd_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:2785
> #10 0x52f83d in run_builtin /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:296
> #11 0x52fd49 in handle_internal_command /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:348
> #12 0x5300de in run_argv /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:392
> #13 0x5308f3 in main /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:530
> #14 0x7f0672d13400 in __libc_start_main (/lib64/libc.so.6+0x20400)
>
> The event is allocated with cpus == 1, but freed with cpus == real number
> When the evsel close function walks the file descriptors it exceeds the
> fd xyarray boundaries and reads random memory.
>
> v2:
> Now that xyarrays save their original dimensions we can use these
> to iterate the two dimensional fd arrays. Fix some users
> (close, ioctl) in evsel.c to use these fields directly. This allows simplifying
> the code and dropping quite a few function arguments. Adjust
> all callers by removing the unneeded arguments.
>
> The actual perf event reading still uses the original values from
> the evsel list.
i was wondering how much code change this would be,
but it turned out not that bad ;-)
Acked-by: Jiri Olsa <jolsa@kernel.org>
thanks,
jirka
next prev parent reply other threads:[~2017-08-22 8:20 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-11 23:26 [PATCH v2 01/19] perf, tools: Save max_x, max_y in xyarray Andi Kleen
2017-08-11 23:26 ` [PATCH v2 02/19] perf, tools: Fix buffer overflow while freeing events Andi Kleen
2017-08-22 8:20 ` Jiri Olsa [this message]
2017-08-24 8:19 ` [tip:perf/core] perf evsel: " tip-bot for Andi Kleen
2017-08-11 23:26 ` [PATCH v2 03/19] perf, tools, stat: Fix saved values rbtree lookup Andi Kleen
2017-08-11 23:26 ` [PATCH v2 04/19] perf, tools: Tighten detection of BPF events Andi Kleen
2017-08-22 8:20 ` Jiri Olsa
2017-08-22 15:00 ` Arnaldo Carvalho de Melo
2017-08-24 8:20 ` [tip:perf/core] perf bpf: " tip-bot for Andi Kleen
2017-08-11 23:26 ` [PATCH v2 05/19] perf, tools: Support weak groups Andi Kleen
2017-08-22 8:34 ` Jiri Olsa
2017-08-22 20:58 ` Andi Kleen
2017-08-23 7:40 ` Jiri Olsa
2017-08-22 8:36 ` Jiri Olsa
2017-08-22 21:00 ` Andi Kleen
2017-08-11 23:26 ` [PATCH v2 06/19] perf, tools: Add missing newline to expr parser error messages Andi Kleen
2017-08-11 23:26 ` [PATCH v2 07/19] perf, tools: Add utility function to detect SMT status Andi Kleen
2017-08-22 8:45 ` Jiri Olsa
2017-08-22 15:16 ` Arnaldo Carvalho de Melo
2017-08-24 8:20 ` [tip:perf/core] perf " tip-bot for Andi Kleen
2017-08-11 23:26 ` [PATCH v2 08/19] perf, tools: Expression parser enhancements for metrics Andi Kleen
2017-08-22 8:45 ` Jiri Olsa
2017-08-22 15:16 ` Arnaldo Carvalho de Melo
2017-08-23 17:43 ` Jiri Olsa
2017-08-24 8:21 ` [tip:perf/core] perf " tip-bot for Andi Kleen
2017-08-11 23:26 ` [PATCH v2 09/19] perf, tools: Increase maximum number of events in expressions Andi Kleen
2017-08-22 8:45 ` Jiri Olsa
2017-08-22 15:17 ` Arnaldo Carvalho de Melo
2017-08-24 8:21 ` [tip:perf/core] perf " tip-bot for Andi Kleen
2017-08-11 23:26 ` [PATCH v2 10/19] perf, tools: Dedup events in expression parsing Andi Kleen
2017-08-22 8:46 ` Jiri Olsa
2017-08-24 8:21 ` [tip:perf/core] perf " tip-bot for Andi Kleen
2017-08-11 23:26 ` [PATCH v2 11/19] perf, tools: Support metric_group and no event name in json parser Andi Kleen
2017-08-11 23:26 ` [PATCH v2 12/19] perf, tools, stat: Factor out generic metric printing Andi Kleen
2017-08-28 9:19 ` Jiri Olsa
2017-08-11 23:26 ` [PATCH v2 13/19] perf, tools: Print generic metric header even for failed expressions Andi Kleen
2017-08-11 23:26 ` [PATCH v2 14/19] perf, tools, stat: Support JSON metrics in perf stat Andi Kleen
2017-08-28 8:13 ` Jiri Olsa
2017-08-28 9:19 ` Jiri Olsa
2017-08-28 9:19 ` Jiri Olsa
2017-08-28 16:46 ` Andi Kleen
2017-08-11 23:26 ` [PATCH v2 15/19] perf, tools, list: Add metric groups to perf list Andi Kleen
2017-08-11 23:26 ` [PATCH v2 16/19] perf, tools, stat: Don't use ctx for saved values lookup Andi Kleen
2017-08-11 23:26 ` [PATCH v2 17/19] perf, tools, stat: Support duration_time for metrics Andi Kleen
2017-08-28 9:19 ` Jiri Olsa
2017-08-28 16:47 ` Andi Kleen
2017-08-11 23:26 ` [PATCH v2 18/19] perf, tools, stat: Hide internal duration_time counter Andi Kleen
2017-08-11 23:26 ` [PATCH v2 19/19] perf, tools, stat: Update walltime_nsecs_stats in interval mode Andi Kleen
2017-08-14 20:15 ` [PATCH v2 01/19] perf, tools: Save max_x, max_y in xyarray Jiri Olsa
2017-08-14 20:39 ` Andi Kleen
2017-08-14 21:12 ` Jiri Olsa
2017-08-22 8:20 ` Jiri Olsa
2017-08-22 14:40 ` Arnaldo Carvalho de Melo
2017-08-22 14:44 ` Jiri Olsa
2017-08-22 15:07 ` Arnaldo Carvalho de Melo
2017-08-24 8:19 ` [tip:perf/core] perf xyarray: Save max_x, max_y tip-bot for Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170822082022.GB23985@krava \
--to=jolsa@redhat.com \
--cc=acme@kernel.org \
--cc=ak@linux.intel.com \
--cc=andi@firstfloor.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.