From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Andi Kleen <ak@linux.intel.com>
Cc: linux-perf-users@vger.kernel.org, adrian.hunter@intel.com,
namhyung@kernel.org
Subject: Re: [PATCH v1 01/10] perf: Avoid buffer overflow in python register interface
Date: Thu, 12 Sep 2024 09:41:55 -0300 [thread overview]
Message-ID: <ZuLhk6yGrr2HET6d@x1> (raw)
In-Reply-To: <20240905015300.2124798-2-ak@linux.intel.com>
On Wed, Sep 04, 2024 at 06:50:09PM -0700, Andi Kleen wrote:
> Running a script that processes PEBS records gives buffer overflows
> in valgrind. The problem is that the allocation of the register
> string doesn't include the terminating 0 byte. Fix this. I also replaced
> the very magic "28" with a more reasonable larger buffer that should
> fit all registers. There's no need to conserve memory here.
I applied this one already.
But you used the wrong list address, perf-tools-users@vger, I'm fixing
this up now to linux-perf-users@vger so that the message reaches the
mailing list.
I waited a bit for reviewers but then realized the problem with the list
address when trying to use b4 to fetch it from lore :-\
- Arnaldo
> ==2106591== Memcheck, a memory error detector
> ==2106591== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
> ==2106591== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
> ==2106591== Command: ../perf script -i tcall.data gcov.py tcall.gcov
> ==2106591==
> ==2106591== Invalid write of size 1
> ==2106591== at 0x713354: regs_map (trace-event-python.c:748)
> ==2106591== by 0x7134EB: set_regs_in_dict (trace-event-python.c:784)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> ==2106591== Invalid read of size 1
> ==2106591== at 0x484B6C6: strlen (vg_replace_strmem.c:502)
> ==2106591== by 0x555D494: PyUnicode_FromString (unicodeobject.c:1899)
> ==2106591== by 0x7134F7: set_regs_in_dict (trace-event-python.c:786)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> ==2106591== Invalid write of size 1
> ==2106591== at 0x713354: regs_map (trace-event-python.c:748)
> ==2106591== by 0x713539: set_regs_in_dict (trace-event-python.c:789)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> ==2106591== Invalid read of size 1
> ==2106591== at 0x484B6C6: strlen (vg_replace_strmem.c:502)
> ==2106591== by 0x555D494: PyUnicode_FromString (unicodeobject.c:1899)
> ==2106591== by 0x713545: set_regs_in_dict (trace-event-python.c:791)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> 73056 total, 29 ignored
>
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> ---
> .../perf/util/scripting-engines/trace-event-python.c | 11 +++--------
> 1 file changed, 3 insertions(+), 8 deletions(-)
>
> diff --git a/tools/perf/util/scripting-engines/trace-event-python.c b/tools/perf/util/scripting-engines/trace-event-python.c
> index 6971dd6c231f..d7183134b669 100644
> --- a/tools/perf/util/scripting-engines/trace-event-python.c
> +++ b/tools/perf/util/scripting-engines/trace-event-python.c
> @@ -762,6 +762,8 @@ static void regs_map(struct regs_dump *regs, uint64_t mask, const char *arch, ch
> }
> }
>
> +#define MAX_REG_SIZE 128
> +
> static int set_regs_in_dict(PyObject *dict,
> struct perf_sample *sample,
> struct evsel *evsel)
> @@ -769,14 +771,7 @@ static int set_regs_in_dict(PyObject *dict,
> struct perf_event_attr *attr = &evsel->core.attr;
> const char *arch = perf_env__arch(evsel__env(evsel));
>
> - /*
> - * Here value 28 is a constant size which can be used to print
> - * one register value and its corresponds to:
> - * 16 chars is to specify 64 bit register in hexadecimal.
> - * 2 chars is for appending "0x" to the hexadecimal value and
> - * 10 chars is for register name.
> - */
> - int size = __sw_hweight64(attr->sample_regs_intr) * 28;
> + int size = (__sw_hweight64(attr->sample_regs_intr) * MAX_REG_SIZE) + 1;
> char *bf = malloc(size);
> if (!bf)
> return -1;
> --
> 2.45.2
next parent reply other threads:[~2024-09-12 12:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240905015300.2124798-1-ak@linux.intel.com>
[not found] ` <20240905015300.2124798-2-ak@linux.intel.com>
2024-09-12 12:41 ` Arnaldo Carvalho de Melo [this message]
2024-09-12 14:38 ` [PATCH v1 01/10] perf: Avoid buffer overflow in python register interface Andi Kleen
2024-09-12 14:53 ` Arnaldo Carvalho de Melo
[not found] ` <20240905015300.2124798-3-ak@linux.intel.com>
2024-09-12 12:51 ` [PATCH v1 02/10] perf: Support discriminator in addr2line Arnaldo Carvalho de Melo
2024-09-12 14:58 ` Andi Kleen
2024-09-05 15:07 [RESEND] More dwarf support in python interface Andi Kleen
2024-09-05 15:07 ` [PATCH v1 01/10] perf: Avoid buffer overflow in python register interface Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuLhk6yGrr2HET6d@x1 \
--to=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ak@linux.intel.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=namhyung@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.