* [PATCH 0/2] objtool: Fixes in .cold detection logic @ 2018-11-20 17:52 Josh Poimboeuf 2018-11-20 17:52 ` [PATCH 1/2] objtool: Fix double-free in .cold detection error path Josh Poimboeuf 2018-11-20 17:52 ` [PATCH 2/2] objtool: Fix seg fault in .cold detection with -ffunction-sections Josh Poimboeuf 0 siblings, 2 replies; 5+ messages in thread From: Josh Poimboeuf @ 2018-11-20 17:52 UTC (permalink / raw) To: x86; +Cc: linux-kernel, Artem Savkov, Peter Zijlstra A couple of objtool fixes from Artem Savkov. Fix a double-free in an error path, and a seg fault seen with -ffunction-sections. Artem Savkov (2): objtool: Fix double-free in .cold detection error path objtool: Fix seg fault in .cold detection with -ffunction-sections tools/objtool/elf.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) -- 2.17.2 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] objtool: Fix double-free in .cold detection error path 2018-11-20 17:52 [PATCH 0/2] objtool: Fixes in .cold detection logic Josh Poimboeuf @ 2018-11-20 17:52 ` Josh Poimboeuf 2018-11-20 18:05 ` [tip:core/urgent] " tip-bot for Artem Savkov 2018-11-20 17:52 ` [PATCH 2/2] objtool: Fix seg fault in .cold detection with -ffunction-sections Josh Poimboeuf 1 sibling, 1 reply; 5+ messages in thread From: Josh Poimboeuf @ 2018-11-20 17:52 UTC (permalink / raw) To: x86; +Cc: linux-kernel, Artem Savkov, Peter Zijlstra From: Artem Savkov <asavkov@redhat.com> If read_symbols() fails during second list traversal (the one dealing with ".cold" subfunctions) it frees the symbol, but never deletes it from the list/hash_table resulting in symbol being freed again in elf_close(). Fix it by just returning an error, leaving cleanup to elf_close(). Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") Signed-off-by: Artem Savkov <asavkov@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> --- tools/objtool/elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c index 6dbb9fae0f9d..e7a7ac40e045 100644 --- a/tools/objtool/elf.c +++ b/tools/objtool/elf.c @@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf) if (!pfunc) { WARN("%s(): can't find parent function", sym->name); - goto err; + return -1; } sym->pfunc = pfunc; -- 2.17.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip:core/urgent] objtool: Fix double-free in .cold detection error path 2018-11-20 17:52 ` [PATCH 1/2] objtool: Fix double-free in .cold detection error path Josh Poimboeuf @ 2018-11-20 18:05 ` tip-bot for Artem Savkov 0 siblings, 0 replies; 5+ messages in thread From: tip-bot for Artem Savkov @ 2018-11-20 18:05 UTC (permalink / raw) To: linux-tip-commits Cc: linux-kernel, peterz, torvalds, mingo, tglx, hpa, jpoimboe, asavkov Commit-ID: 0b9301fb632f7111a3293a30cc5b20f1b82ed08d Gitweb: https://git.kernel.org/tip/0b9301fb632f7111a3293a30cc5b20f1b82ed08d Author: Artem Savkov <asavkov@redhat.com> AuthorDate: Tue, 20 Nov 2018 11:52:15 -0600 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Tue, 20 Nov 2018 18:59:00 +0100 objtool: Fix double-free in .cold detection error path If read_symbols() fails during second list traversal (the one dealing with ".cold" subfunctions) it frees the symbol, but never deletes it from the list/hash_table resulting in symbol being freed again in elf_close(). Fix it by just returning an error, leaving cleanup to elf_close(). Signed-off-by: Artem Savkov <asavkov@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- tools/objtool/elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c index 6dbb9fae0f9d..e7a7ac40e045 100644 --- a/tools/objtool/elf.c +++ b/tools/objtool/elf.c @@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf) if (!pfunc) { WARN("%s(): can't find parent function", sym->name); - goto err; + return -1; } sym->pfunc = pfunc; ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] objtool: Fix seg fault in .cold detection with -ffunction-sections 2018-11-20 17:52 [PATCH 0/2] objtool: Fixes in .cold detection logic Josh Poimboeuf 2018-11-20 17:52 ` [PATCH 1/2] objtool: Fix double-free in .cold detection error path Josh Poimboeuf @ 2018-11-20 17:52 ` Josh Poimboeuf 2018-11-20 18:05 ` [tip:core/urgent] objtool: Fix segfault " tip-bot for Artem Savkov 1 sibling, 1 reply; 5+ messages in thread From: Josh Poimboeuf @ 2018-11-20 17:52 UTC (permalink / raw) To: x86; +Cc: linux-kernel, Artem Savkov, Peter Zijlstra From: Artem Savkov <asavkov@redhat.com> Because find_symbol_by_name() traverses the same lists as read_symbols(), changing sym->name in place without copying it affects the result of find_symbol_by_name(). In the case where a ".cold" function precedes its parent in sec->symbol_list, it can result in a function being considered a parent of itself. This leads to function length being set to 0 and other consequent side-effects including a segfault in add_switch_table(). The effects of this bug are only visible when building with -ffunction-sections in KCFLAGS. Fix by copying the search string instead of modifying it in place. Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") Signed-off-by: Artem Savkov <asavkov@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> --- tools/objtool/elf.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c index e7a7ac40e045..b8f3cca8e58b 100644 --- a/tools/objtool/elf.c +++ b/tools/objtool/elf.c @@ -31,6 +31,8 @@ #include "elf.h" #include "warn.h" +#define MAX_NAME_LEN 128 + struct section *find_section_by_name(struct elf *elf, const char *name) { struct section *sec; @@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf) /* Create parent/child links for any cold subfunctions */ list_for_each_entry(sec, &elf->sections, list) { list_for_each_entry(sym, &sec->symbol_list, list) { + char pname[MAX_NAME_LEN + 1]; + size_t pnamelen; if (sym->type != STT_FUNC) continue; sym->pfunc = sym->cfunc = sym; @@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf) if (!coldstr) continue; - coldstr[0] = '\0'; - pfunc = find_symbol_by_name(elf, sym->name); - coldstr[0] = '.'; + pnamelen = coldstr - sym->name; + if (pnamelen > MAX_NAME_LEN) { + WARN("%s(): parent function name exceeds maximum length of %d characters", + sym->name, MAX_NAME_LEN); + return -1; + } + + strncpy(pname, sym->name, pnamelen); + pname[pnamelen] = '\0'; + pfunc = find_symbol_by_name(elf, pname); if (!pfunc) { WARN("%s(): can't find parent function", -- 2.17.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [tip:core/urgent] objtool: Fix segfault in .cold detection with -ffunction-sections 2018-11-20 17:52 ` [PATCH 2/2] objtool: Fix seg fault in .cold detection with -ffunction-sections Josh Poimboeuf @ 2018-11-20 18:05 ` tip-bot for Artem Savkov 0 siblings, 0 replies; 5+ messages in thread From: tip-bot for Artem Savkov @ 2018-11-20 18:05 UTC (permalink / raw) To: linux-tip-commits Cc: torvalds, peterz, mingo, asavkov, hpa, linux-kernel, jpoimboe, tglx Commit-ID: 22566c1603030f0a036ad564634b064ad1a55db2 Gitweb: https://git.kernel.org/tip/22566c1603030f0a036ad564634b064ad1a55db2 Author: Artem Savkov <asavkov@redhat.com> AuthorDate: Tue, 20 Nov 2018 11:52:16 -0600 Committer: Ingo Molnar <mingo@kernel.org> CommitDate: Tue, 20 Nov 2018 18:59:00 +0100 objtool: Fix segfault in .cold detection with -ffunction-sections Because find_symbol_by_name() traverses the same lists as read_symbols(), changing sym->name in place without copying it affects the result of find_symbol_by_name(). In the case where a ".cold" function precedes its parent in sec->symbol_list, it can result in a function being considered a parent of itself. This leads to function length being set to 0 and other consequent side-effects including a segfault in add_switch_table(). The effects of this bug are only visible when building with -ffunction-sections in KCFLAGS. Fix by copying the search string instead of modifying it in place. Signed-off-by: Artem Savkov <asavkov@redhat.com> Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.com Signed-off-by: Ingo Molnar <mingo@kernel.org> --- tools/objtool/elf.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c index e7a7ac40e045..b8f3cca8e58b 100644 --- a/tools/objtool/elf.c +++ b/tools/objtool/elf.c @@ -31,6 +31,8 @@ #include "elf.h" #include "warn.h" +#define MAX_NAME_LEN 128 + struct section *find_section_by_name(struct elf *elf, const char *name) { struct section *sec; @@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf) /* Create parent/child links for any cold subfunctions */ list_for_each_entry(sec, &elf->sections, list) { list_for_each_entry(sym, &sec->symbol_list, list) { + char pname[MAX_NAME_LEN + 1]; + size_t pnamelen; if (sym->type != STT_FUNC) continue; sym->pfunc = sym->cfunc = sym; @@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf) if (!coldstr) continue; - coldstr[0] = '\0'; - pfunc = find_symbol_by_name(elf, sym->name); - coldstr[0] = '.'; + pnamelen = coldstr - sym->name; + if (pnamelen > MAX_NAME_LEN) { + WARN("%s(): parent function name exceeds maximum length of %d characters", + sym->name, MAX_NAME_LEN); + return -1; + } + + strncpy(pname, sym->name, pnamelen); + pname[pnamelen] = '\0'; + pfunc = find_symbol_by_name(elf, pname); if (!pfunc) { WARN("%s(): can't find parent function", ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-11-20 18:06 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-11-20 17:52 [PATCH 0/2] objtool: Fixes in .cold detection logic Josh Poimboeuf 2018-11-20 17:52 ` [PATCH 1/2] objtool: Fix double-free in .cold detection error path Josh Poimboeuf 2018-11-20 18:05 ` [tip:core/urgent] " tip-bot for Artem Savkov 2018-11-20 17:52 ` [PATCH 2/2] objtool: Fix seg fault in .cold detection with -ffunction-sections Josh Poimboeuf 2018-11-20 18:05 ` [tip:core/urgent] objtool: Fix segfault " tip-bot for Artem Savkov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.