From: Namhyung Kim <namhyung@kernel.org>
To: Ian Rogers <irogers@google.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>,
Kan Liang <kan.liang@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>,
Adrian Hunter <adrian.hunter@intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 3/3] perf tools: Fix use-after-free in help_unknown_cmd()
Date: Tue, 1 Jul 2025 12:57:45 -0700 [thread overview]
Message-ID: <aGQ9ucA3BH1OXzlf@google.com> (raw)
In-Reply-To: <CAP-5=fXdzL1ZQQCFFU0crNpT7wiW4gtfbN1=p89BnmzWBU4mHw@mail.gmail.com>
On Tue, Jul 01, 2025 at 09:03:46AM -0700, Ian Rogers wrote:
> On Mon, Jun 30, 2025 at 4:32 PM Namhyung Kim <namhyung@kernel.org> wrote:
> >
> > Currently perf aborts when it finds an invalid command. I guess it
> > depends on the environment as I have some custom commands in the path.
> >
> > $ perf bad-command
> > perf: 'bad-command' is not a perf-command. See 'perf --help'.
> > Aborted (core dumped)
> >
> > It's because the exclude_cmds() in libsubcmd has a use-after-free when
> > it removes some entries. After copying one to another entry, it keeps
> > the pointer in the both position. And the next copy operation will free
> > the later one but it's the same entry in the previous one.
> >
> > For example, let's say cmds = { A, B, C, D, E } and excludes = { B, E }.
> >
> > ci cj ei cmds-name excludes
> > -----------+--------------------
> > 0 0 0 | A B : cmp < 0, ci == cj
> > 1 1 0 | B B : cmp == 0
> > 2 1 1 | C E : cmp < 0, ci != cj
> >
> > At this point, it frees cmds->names[1] and cmds->names[1] is assigned to
> > cmds->names[2].
> >
> > 3 2 1 | D E : cmp < 0, ci != cj
> >
> > Now it frees cmds->names[2] but it's the same as cmds->names[1]. So
> > accessing cmds->names[1] will be invalid.
> >
> > This makes the subcmd tests succeed.
> >
> > $ perf test subcmd
> > 69: libsubcmd help tests :
> > 69.1: Load subcmd names : Ok
> > 69.2: Uniquify subcmd names : Ok
> > 69.3: Exclude duplicate subcmd names : Ok
> >
> > Fixes: 657a3efee43a ("libsubcmd: Avoid SEGV/use-after-free when commands aren't excluded")
> > Signed-off-by: Namhyung Kim <namhyung@kernel.org>
>
> Reviewed-by: Ian Rogers <irogers@google.com>
>
> Fwiw, it seems a shame we're doing this and the code in git is drifting apart:
>
> https://github.com/git/git/blob/83014dc05f6fc9275c0a02886cb428805abaf9e5/help.c#L204
Maybe we can send a fix for them too.
Thanks,
Namhyung
next prev parent reply other threads:[~2025-07-01 19:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-30 23:32 [PATCH 1/3] perf test: Check test suite description only Namhyung Kim
2025-06-30 23:32 ` [PATCH 2/3] perf test: Add libsubcmd help tests Namhyung Kim
2025-07-01 15:54 ` Ian Rogers
2025-07-01 19:56 ` Namhyung Kim
2025-06-30 23:32 ` [PATCH 3/3] perf tools: Fix use-after-free in help_unknown_cmd() Namhyung Kim
2025-07-01 16:03 ` Ian Rogers
2025-07-01 19:57 ` Namhyung Kim [this message]
2025-07-01 15:51 ` [PATCH 1/3] perf test: Check test suite description only Ian Rogers
2025-07-01 19:49 ` Namhyung Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGQ9ucA3BH1OXzlf@google.com \
--to=namhyung@kernel.org \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=irogers@google.com \
--cc=jolsa@kernel.org \
--cc=kan.liang@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.