[PATCH] perf: prevent overflow in size calculation

[PATCH] perf: prevent overflow in size calculation

[Cody Schafer]

A large enough symbol size causes an overflow in the size parameter to the
histogram allocation, leading to a segfault in symbol__inc_addr_samples later
on when this histogram is accessed.

In the case of being called via perf-report, this returns back and
gracefully ignores the sample, eventually ignoring the chained return
value of perf_session_deliver_event in flush_sample_queue.

Signed-off-by: Cody Schafer <cody@linux.vnet.ibm.com>
---
 tools/perf/util/annotate.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index 8069dfb..6f78f20 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -426,8 +426,13 @@ int symbol__alloc_hist(struct symbol *sym)
 {
 	struct annotation *notes = symbol__annotation(sym);
 	const size_t size = symbol__size(sym);
-	size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+	size_t sizeof_sym_hist;
 
+	/* Check for overflow when calculating sizeof_sym_hist */
+	if (size > (SIZE_MAX / sizeof(u64)))
+		return -1;
+
+	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
 	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
 	if (notes->src == NULL)
 		return -1;
-- 
1.7.9.5

Re: [PATCH] perf: prevent overflow in size calculation

[Namhyung Kim]

Hi, Cody

On Thu, 19 Jul 2012 17:13:35 -0700, Cody Schafer wrote:
> A large enough symbol size causes an overflow in the size parameter to the
> histogram allocation, leading to a segfault in symbol__inc_addr_samples later
> on when this histogram is accessed.
>
> In the case of being called via perf-report, this returns back and
> gracefully ignores the sample, eventually ignoring the chained return
> value of perf_session_deliver_event in flush_sample_queue.
>
> Signed-off-by: Cody Schafer <cody@linux.vnet.ibm.com>
> ---
>  tools/perf/util/annotate.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
> index 8069dfb..6f78f20 100644
> --- a/tools/perf/util/annotate.c
> +++ b/tools/perf/util/annotate.c
> @@ -426,8 +426,13 @@ int symbol__alloc_hist(struct symbol *sym)
>  {
>  	struct annotation *notes = symbol__annotation(sym);
>  	const size_t size = symbol__size(sym);
> -	size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
> +	size_t sizeof_sym_hist;
>  
> +	/* Check for overflow when calculating sizeof_sym_hist */
> +	if (size > (SIZE_MAX / sizeof(u64)))
> +		return -1;

How does it guarantee that the end result which used in zalloc below
would not overflow?

Thanks,
Namhyung


> +
> +	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
>  	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
>  	if (notes->src == NULL)
>  		return -1;

[PATCH v2] perf: prevent overflow in size calculation

[Cody Schafer]

A large enough symbol size causes an overflow in the size parameter to the
histogram allocation, leading to a segfault in symbol__inc_addr_samples later
on when this histogram is accessed.

In the case of being called via perf-report, this returns back and
gracefully ignores the sample, eventually ignoring the chained return
value of perf_session_deliver_event in flush_sample_queue.

Signed-off-by: Cody Schafer <cody@linux.vnet.ibm.com>
---
 tools/perf/util/annotate.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index 8069dfb..73a1919 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -426,7 +426,18 @@ int symbol__alloc_hist(struct symbol *sym)
 {
 	struct annotation *notes = symbol__annotation(sym);
 	const size_t size = symbol__size(sym);
-	size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+	size_t sizeof_sym_hist;
+
+	/* Check for overflow when calculating sizeof_sym_hist */
+	if (size > (SIZE_MAX / sizeof(u64) - sizeof(struct sym_hist)))
+		return -1;
+
+	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+
+	/* Check for overflow in zalloc argument */
+	if (sizeof_sym_hist > (SIZE_MAX / symbol_conf.nr_events
+				- sizeof(*notes->src)))
+		return -1;
 
 	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
 	if (notes->src == NULL)
-- 
1.7.9.5

Re: [PATCH] perf: prevent overflow in size calculation

[Cody P Schafer]

>> +	/* Check for overflow when calculating sizeof_sym_hist */
>> +	if (size > (SIZE_MAX / sizeof(u64)))
>> +		return -1;
>
> How does it guarantee that the end result which used in zalloc below
> would not overflow?
>
>> +
>> +	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
>>   	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
>>   	if (notes->src == NULL)
>>   		return -1;

Whoops. Thanks for pointing that out.
I've sent a fixed up patch (the check for sizeof_sym_hist wasn't even 
complete)

--
Cody

Re: [PATCH v2] perf: prevent overflow in size calculation

[Cody P Schafer]

>   	struct annotation *notes = symbol__annotation(sym);
>   	const size_t size = symbol__size(sym);
> -	size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
> +	size_t sizeof_sym_hist;
> +
> +	/* Check for overflow when calculating sizeof_sym_hist */
> +	if (size > (SIZE_MAX / sizeof(u64) - sizeof(struct sym_hist)))
> +		return -1;
> +
> +	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
> +
> +	/* Check for overflow in zalloc argument */
> +	if (sizeof_sym_hist > (SIZE_MAX / symbol_conf.nr_events
> +				- sizeof(*notes->src)))
> +		return -1;
>
>   	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
>   	if (notes->src == NULL)
>

Actually, I don't think this is correct either (subtraction seems to 
occur in the wrong spot).

[PATCH v3] perf: prevent overflow in size calculation

[Cody Schafer]

A large enough symbol size causes an overflow in the size parameter to the
histogram allocation, leading to a segfault in symbol__inc_addr_samples later
on when this histogram is accessed.

In the case of being called via perf-report, this returns back and
gracefully ignores the sample, eventually ignoring the chained return
value of perf_session_deliver_event in flush_sample_queue.

Signed-off-by: Cody Schafer <cody@linux.vnet.ibm.com>
---
 tools/perf/util/annotate.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index 8069dfb..d88693e 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -426,7 +426,18 @@ int symbol__alloc_hist(struct symbol *sym)
 {
 	struct annotation *notes = symbol__annotation(sym);
 	const size_t size = symbol__size(sym);
-	size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+	size_t sizeof_sym_hist;
+
+	/* Check for overflow when calculating sizeof_sym_hist */
+	if (size > (SIZE_MAX - sizeof(struct sym_hist)) / sizeof(u64))
+		return -1;
+
+	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+
+	/* Check for overflow in zalloc argument */
+	if (sizeof_sym_hist > (SIZE_MAX - sizeof(*notes->src))
+				/ symbol_conf.nr_events)
+		return -1;
 
 	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
 	if (notes->src == NULL)
-- 
1.7.9.5

[tip:perf/core] perf annotate: Prevent overflow in size calculation

[tip-bot for Cody Schafer]

Commit-ID:  8696329b7bcf32e69ad12d5975ad1497936d43ec
Gitweb:     http://git.kernel.org/tip/8696329b7bcf32e69ad12d5975ad1497936d43ec
Author:     Cody Schafer <cody@linux.vnet.ibm.com>
AuthorDate: Thu, 19 Jul 2012 20:05:25 -0700
Committer:  Arnaldo Carvalho de Melo <acme@redhat.com>
CommitDate: Wed, 25 Jul 2012 13:06:42 -0300

perf annotate: Prevent overflow in size calculation

A large enough symbol size causes an overflow in the size parameter to
the histogram allocation, leading to a segfault in
symbol__inc_addr_samples later on when this histogram is accessed.

In the case of being called via perf-report, this returns back and
gracefully ignores the sample, eventually ignoring the chained return
value of perf_session_deliver_event in flush_sample_queue.

Signed-off-by: Cody Schafer <cody@linux.vnet.ibm.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
Link: http://lkml.kernel.org/r/1342753525-4521-1-git-send-email-cody@linux.vnet.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/annotate.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
index 7d3641f..3a282c0 100644
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -426,7 +426,18 @@ int symbol__alloc_hist(struct symbol *sym)
 {
 	struct annotation *notes = symbol__annotation(sym);
 	const size_t size = symbol__size(sym);
-	size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+	size_t sizeof_sym_hist;
+
+	/* Check for overflow when calculating sizeof_sym_hist */
+	if (size > (SIZE_MAX - sizeof(struct sym_hist)) / sizeof(u64))
+		return -1;
+
+	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+
+	/* Check for overflow in zalloc argument */
+	if (sizeof_sym_hist > (SIZE_MAX - sizeof(*notes->src))
+				/ symbol_conf.nr_events)
+		return -1;
 
 	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
 	if (notes->src == NULL)