From: Masami Hiramatsu <mhiramat@kernel.org>
To: Li Huafei <lihuafei1@huawei.com>
Cc: <acme@kernel.org>, <namhyung@kernel.org>, <peterz@infradead.org>,
<mingo@redhat.com>, <mark.rutland@arm.com>,
<alexander.shishkin@linux.intel.com>, <jolsa@redhat.com>,
<srikar@linux.vnet.ibm.com>, <fche@redhat.com>,
<Jianlin.Lv@arm.com>, <linux-perf-users@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <yangjihong1@huawei.com>,
<zhangjinhao2@huawei.com>
Subject: Re: [PATCH] perf probe: Fix null pointer dereference in convert_variable_location()
Date: Wed, 2 Jun 2021 08:45:45 +0900 [thread overview]
Message-ID: <20210602084545.99e6d7d43e183ceaa603d247@kernel.org> (raw)
In-Reply-To: <20210601092750.169601-1-lihuafei1@huawei.com>
On Tue, 1 Jun 2021 17:27:50 +0800
Li Huafei <lihuafei1@huawei.com> wrote:
> If we just check whether the variable can be converted, 'tvar' should be
> a null pointer. However, the null pointer check is missing in the
> 'Constant value' execution path.
>
> The following cases can trigger this problem:
>
> $ cat test.c
> #include <stdio.h>
>
> void main(void)
> {
> int a;
> const int b = 1;
>
> asm volatile("mov %1, %0" : "=r"(a): "i"(b));
> printf("a: %d\n", a);
> }
>
> $ gcc test.c -o test -O -g
> $ sudo ./perf probe -x ./test -L "main"
> <main@/home/lhf/test.c:0>
> 0 void main(void)
> {
> 2 int a;
> const int b = 1;
>
> asm volatile("mov %1, %0" : "=r"(a): "i"(b));
> 6 printf("a: %d\n", a);
> }
>
> $ sudo ./perf probe -x ./test -V "main:6"
> Segmentation fault
Oops, thanks for fixing!
>
> The check on 'tvar' is added. If 'tavr' is a null pointer, we return 0
> to indicate that the variable can be converted. Now, we can successfully
> show the variables that can be accessed.
>
> $ sudo ./perf probe -x ./test -V "main:6"
> Available variables at main:6
> @<main+13>
> char* __fmt
> int a
> int b
>
> However, the variable 'b' cannot be tracked.
>
> $ sudo ./perf probe -x ./test -D "main:6 b"
> Failed to find the location of the 'b' variable at this address.
> Perhaps it has been optimized out.
> Use -V with the --range option to show 'b' location range.
> Error: Failed to add events.
>
> This is because __die_find_variable_cb() did not successfully match
> variable 'b', which has the DW_AT_const_value attribute instead of
> DW_AT_location. We added support for DW_AT_const_value in
> __die_find_variable_cb(). With this modification, we can successfully
> track the variable 'b'.
>
> $ sudo ./perf probe -x ./test -D "main:6 b"
> p:probe_test/main_L6 /home/lhf/test:0x1156 b=\1:s32
Great! This looks good to me.
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Thank you!
>
> Fixes: 66f69b219716 ("perf probe: Support DW_AT_const_value constant value")
> Signed-off-by: Li Huafei <lihuafei1@huawei.com>
> ---
> tools/perf/util/dwarf-aux.c | 8 ++++++--
> tools/perf/util/probe-finder.c | 3 +++
> 2 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
> index b2f4920e19a6..7d2ba8419b0c 100644
> --- a/tools/perf/util/dwarf-aux.c
> +++ b/tools/perf/util/dwarf-aux.c
> @@ -975,9 +975,13 @@ static int __die_find_variable_cb(Dwarf_Die *die_mem, void *data)
> if ((tag == DW_TAG_formal_parameter ||
> tag == DW_TAG_variable) &&
> die_compare_name(die_mem, fvp->name) &&
> - /* Does the DIE have location information or external instance? */
> + /*
> + * Does the DIE have location information or const value
> + * or external instance?
> + */
> (dwarf_attr(die_mem, DW_AT_external, &attr) ||
> - dwarf_attr(die_mem, DW_AT_location, &attr)))
> + dwarf_attr(die_mem, DW_AT_location, &attr) ||
> + dwarf_attr(die_mem, DW_AT_const_value, &attr)))
> return DIE_FIND_CB_END;
> if (dwarf_haspc(die_mem, fvp->addr))
> return DIE_FIND_CB_CONTINUE;
> diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
> index 866f2d514d72..b029c29ce227 100644
> --- a/tools/perf/util/probe-finder.c
> +++ b/tools/perf/util/probe-finder.c
> @@ -190,6 +190,9 @@ static int convert_variable_location(Dwarf_Die *vr_die, Dwarf_Addr addr,
> immediate_value_is_supported()) {
> Dwarf_Sword snum;
>
> + if (!tvar)
> + return 0;
> +
> dwarf_formsdata(&attr, &snum);
> ret = asprintf(&tvar->value, "\\%ld", (long)snum);
>
> --
> 2.17.1
>
--
Masami Hiramatsu <mhiramat@kernel.org>
prev parent reply other threads:[~2021-06-01 23:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-01 9:27 [PATCH] perf probe: Fix null pointer dereference in convert_variable_location() Li Huafei
2021-06-01 13:23 ` Arnaldo Carvalho de Melo
2021-06-01 23:45 ` Masami Hiramatsu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210602084545.99e6d7d43e183ceaa603d247@kernel.org \
--to=mhiramat@kernel.org \
--cc=Jianlin.Lv@arm.com \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=fche@redhat.com \
--cc=jolsa@redhat.com \
--cc=lihuafei1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=srikar@linux.vnet.ibm.com \
--cc=yangjihong1@huawei.com \
--cc=zhangjinhao2@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.