From: Namhyung Kim <namhyung@kernel.org>
To: Ian Rogers <irogers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>,
Adrian Hunter <adrian.hunter@intel.com>,
Kan Liang <kan.liang@linux.intel.com>,
linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] perf symbol-minimal: Fix double free in filename__read_build_id
Date: Thu, 1 May 2025 13:25:27 -0700 [thread overview]
Message-ID: <aBPYt1G3VpLI5qBa@google.com> (raw)
In-Reply-To: <20250501070003.22251-1-irogers@google.com>
Hi Ian,
On Thu, May 01, 2025 at 12:00:03AM -0700, Ian Rogers wrote:
> Running the "perf script task-analyzer tests" with address sanitizer
> showed a double free:
> ```
> FAIL: "test_csv_extended_times" Error message: "Failed to find required string:'Out-Out;'."
> =================================================================
> ==19190==ERROR: AddressSanitizer: attempting double-free on 0x50b000017b10 in thread T0:
> #0 0x55da9601c78a in free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a)
> #1 0x55da96640c63 in filename__read_build_id tools/perf/util/symbol-minimal.c:221:2
>
> 0x50b000017b10 is located 0 bytes inside of 112-byte region [0x50b000017b10,0x50b000017b80)
> freed by thread T0 here:
> #0 0x55da9601ce40 in realloc (perf+0x260e40) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a)
> #1 0x55da96640ad6 in filename__read_build_id tools/perf/util/symbol-minimal.c:204:10
>
> previously allocated by thread T0 here:
> #0 0x55da9601ca23 in malloc (perf+0x260a23) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a)
> #1 0x55da966407e7 in filename__read_build_id tools/perf/util/symbol-minimal.c:181:9
>
> SUMMARY: AddressSanitizer: double-free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) in free
> ==19190==ABORTING
> FAIL: "invocation of perf script report task-analyzer --csv-summary csvsummary --summary-extended command failed" Error message: ""
> FAIL: "test_csvsummary_extended" Error message: "Failed to find required string:'Out-Out;'."
> ---- end(-1) ----
> 132: perf script task-analyzer tests : FAILED!
> ```
>
> The buf_size if always set to phdr->p_filesz, but that may be 0
> causing a free and realloc to return NULL. This is treated in
> filename__read_build_id like a failure and the buffer is freed again.
>
> To avoid this problem only grow buf, meaning the buf_size will never
> be 0. This also reduces the number of memory (re)allocations.
Thanks for fixing this!
Acked-by: Namhyung Kim <namhyung@kernel.org>
Thanks,
Namhyung
>
> Fixes: b691f64360ec ("perf symbols: Implement poor man's ELF parser")
> Signed-off-by: Ian Rogers <irogers@google.com>
> ---
> tools/perf/util/symbol-minimal.c | 34 +++++++++++++++++---------------
> 1 file changed, 18 insertions(+), 16 deletions(-)
>
> diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c
> index c6f369b5d893..d8da3da01fe6 100644
> --- a/tools/perf/util/symbol-minimal.c
> +++ b/tools/perf/util/symbol-minimal.c
> @@ -147,18 +147,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
> if (phdr->p_type != PT_NOTE)
> continue;
>
> - buf_size = phdr->p_filesz;
> offset = phdr->p_offset;
> - tmp = realloc(buf, buf_size);
> - if (tmp == NULL)
> - goto out_free;
> -
> - buf = tmp;
> + if (phdr->p_filesz > buf_size) {
> + buf_size = phdr->p_filesz;
> + tmp = realloc(buf, buf_size);
> + if (tmp == NULL)
> + goto out_free;
> + buf = tmp;
> + }
> fseek(fp, offset, SEEK_SET);
> - if (fread(buf, buf_size, 1, fp) != 1)
> + if (fread(buf, phdr->p_filesz, 1, fp) != 1)
> goto out_free;
>
> - ret = read_build_id(buf, buf_size, bid, need_swap);
> + ret = read_build_id(buf, phdr->p_filesz, bid, need_swap);
> if (ret == 0) {
> ret = bid->size;
> break;
> @@ -199,18 +200,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
> if (phdr->p_type != PT_NOTE)
> continue;
>
> - buf_size = phdr->p_filesz;
> offset = phdr->p_offset;
> - tmp = realloc(buf, buf_size);
> - if (tmp == NULL)
> - goto out_free;
> -
> - buf = tmp;
> + if (phdr->p_filesz > buf_size) {
> + buf_size = phdr->p_filesz;
> + tmp = realloc(buf, buf_size);
> + if (tmp == NULL)
> + goto out_free;
> + buf = tmp;
> + }
> fseek(fp, offset, SEEK_SET);
> - if (fread(buf, buf_size, 1, fp) != 1)
> + if (fread(buf, phdr->p_filesz, 1, fp) != 1)
> goto out_free;
>
> - ret = read_build_id(buf, buf_size, bid, need_swap);
> + ret = read_build_id(buf, phdr->p_filesz, bid, need_swap);
> if (ret == 0) {
> ret = bid->size;
> break;
> --
> 2.49.0.967.g6a0df3ecc3-goog
>
next prev parent reply other threads:[~2025-05-01 20:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-01 7:00 [PATCH v1] perf symbol-minimal: Fix double free in filename__read_build_id Ian Rogers
2025-05-01 20:25 ` Namhyung Kim [this message]
2025-05-02 16:32 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aBPYt1G3VpLI5qBa@google.com \
--to=namhyung@kernel.org \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=irogers@google.com \
--cc=jolsa@kernel.org \
--cc=kan.liang@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.