* [patch] perf report segfault with 0-sized strings
@ 2019-07-25 18:27 Vince Weaver
2019-07-25 19:04 ` Vince Weaver
2019-07-26 19:09 ` Arnaldo Carvalho de Melo
0 siblings, 2 replies; 4+ messages in thread
From: Vince Weaver @ 2019-07-25 18:27 UTC (permalink / raw)
To: linux-kernel
Cc: Arnaldo Carvalho de Melo, Peter Zijlstra, Ingo Molnar,
Alexander Shishkin, Jiri Olsa, Namhyung Kim
Hello,
the perf_data_fuzzer found an issue when strings have size 0.
malloc() in do_read_string() is happy to allocate a string of
size 0 but when code (in this case the pmu parser) tries to work with
those it will segfault.
Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index c24db7f4909c..641129efa987 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -251,6 +252,9 @@ static char *do_read_string(struct feat_fd *ff)
if (do_read_u32(ff, &len))
return NULL;
+ if (len==0)
+ return NULL;
+
buf = malloc(len);
if (!buf)
return NULL;
@@ -1781,6 +1785,10 @@ static void print_pmu_mappings(struct feat_fd *ff, FILE *fp)
str = ff->ph->env.pmu_mappings;
while (pmu_num) {
+
+ if (str==NULL)
+ goto error;
+
type = strtoul(str, &tmp, 0);
if (*tmp != ':')
goto error;
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [patch] perf report segfault with 0-sized strings
2019-07-25 18:27 [patch] perf report segfault with 0-sized strings Vince Weaver
@ 2019-07-25 19:04 ` Vince Weaver
2019-07-26 19:10 ` Arnaldo Carvalho de Melo
2019-07-26 19:09 ` Arnaldo Carvalho de Melo
1 sibling, 1 reply; 4+ messages in thread
From: Vince Weaver @ 2019-07-25 19:04 UTC (permalink / raw)
To: linux-kernel
Cc: Arnaldo Carvalho de Melo, Peter Zijlstra, Ingo Molnar,
Alexander Shishkin, Jiri Olsa, Namhyung Kim
probably all perf_header_strings are affected by this. The fuzzer just
tripped up cmdline now, which needs this fix.
Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index c24db7f4909c..631aa1911f3a 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -1427,6 +1430,8 @@ static void print_cmdline(struct feat_fd *ff, FILE *fp)
fprintf(fp, "# cmdline : ");
+ if (ff->ph->env.cmdline_argv==NULL) return;
+
for (i = 0; i < nr; i++) {
char *argv_i = strdup(ff->ph->env.cmdline_argv[i]);
if (!argv_i) {
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [patch] perf report segfault with 0-sized strings
2019-07-25 19:04 ` Vince Weaver
@ 2019-07-26 19:10 ` Arnaldo Carvalho de Melo
0 siblings, 0 replies; 4+ messages in thread
From: Arnaldo Carvalho de Melo @ 2019-07-26 19:10 UTC (permalink / raw)
To: Vince Weaver
Cc: linux-kernel, Peter Zijlstra, Ingo Molnar, Alexander Shishkin,
Jiri Olsa, Namhyung Kim
Em Thu, Jul 25, 2019 at 03:04:32PM -0400, Vince Weaver escreveu:
>
> probably all perf_header_strings are affected by this. The fuzzer just
> tripped up cmdline now, which needs this fix.
I think we have to catch this earlier, i.e. when processing each
feature, lemme check...
- Arnaldo
> Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
>
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index c24db7f4909c..631aa1911f3a 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
> @@ -1427,6 +1430,8 @@ static void print_cmdline(struct feat_fd *ff, FILE *fp)
>
> fprintf(fp, "# cmdline : ");
>
> + if (ff->ph->env.cmdline_argv==NULL) return;
> +
> for (i = 0; i < nr; i++) {
> char *argv_i = strdup(ff->ph->env.cmdline_argv[i]);
> if (!argv_i) {
--
- Arnaldo
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] perf report segfault with 0-sized strings
2019-07-25 18:27 [patch] perf report segfault with 0-sized strings Vince Weaver
2019-07-25 19:04 ` Vince Weaver
@ 2019-07-26 19:09 ` Arnaldo Carvalho de Melo
1 sibling, 0 replies; 4+ messages in thread
From: Arnaldo Carvalho de Melo @ 2019-07-26 19:09 UTC (permalink / raw)
To: Vince Weaver
Cc: linux-kernel, Peter Zijlstra, Ingo Molnar, Alexander Shishkin,
Jiri Olsa, Namhyung Kim
Em Thu, Jul 25, 2019 at 02:27:14PM -0400, Vince Weaver escreveu:
> Hello,
>
> the perf_data_fuzzer found an issue when strings have size 0.
> malloc() in do_read_string() is happy to allocate a string of
> size 0 but when code (in this case the pmu parser) tries to work with
> those it will segfault.
So here are two fixes, i.e. one is to make do_read_string() to return
NULL when len is 0, which do_read_string() already returns for failure
(NULL) and most of the callers I looked handle that.
The other is to make print_pmu_mappings() deal with a NULL
ff->ph->env.pmu_mappings, agreed?
- Arnaldo
> Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
>
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index c24db7f4909c..641129efa987 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
> @@ -251,6 +252,9 @@ static char *do_read_string(struct feat_fd *ff)
> if (do_read_u32(ff, &len))
> return NULL;
>
> + if (len==0)
> + return NULL;
> +
> buf = malloc(len);
> if (!buf)
> return NULL;
> @@ -1781,6 +1785,10 @@ static void print_pmu_mappings(struct feat_fd *ff, FILE *fp)
> str = ff->ph->env.pmu_mappings;
>
> while (pmu_num) {
> +
> + if (str==NULL)
> + goto error;
> +
> type = strtoul(str, &tmp, 0);
> if (*tmp != ':')
> goto error;
--
- Arnaldo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-26 19:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-25 18:27 [patch] perf report segfault with 0-sized strings Vince Weaver
2019-07-25 19:04 ` Vince Weaver
2019-07-26 19:10 ` Arnaldo Carvalho de Melo
2019-07-26 19:09 ` Arnaldo Carvalho de Melo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.