From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2DB45C7EE29 for ; Fri, 9 Jun 2023 00:31:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:To:From:Subject:References:Mime-Version :Message-Id:In-Reply-To:Date:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=QEsq0z9LYnxU0opWTze7GXcTVKlzo3uUpeawr/dz+Fc=; b=hztlAqZDvraiCr iGzMul6RFLqvqXUSAhvtWL9nHc/zjf9Het6l3BA0R8t3PnDWX5ZRWWeUtRSbgXepBIOOiqa+yw2++ KgSMu8g7ozf/DjBtbgmr35YH6q7OJ1QxppUhivrRRtkfT3tN1QnwYuAXdxTceffkpXmZsgeYGMAFB 29INh7CrRzrdYnEMgEenqFJH/4fJlZfUZqBjB2Cr4l7gpHQ1vd/7rijZOEpNyEm59tyK0rAU2OO7e 5K2f1MMk2fItGCY/AN8gjn6TDVj+HoP+7ek2qW+Tq6Nad24NN0MNEzLOWcGcLEOaen7rPKFP//ckm Y07nTbs5zpcaelMltQgg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1q7Q1s-00B4H9-1z; Fri, 09 Jun 2023 00:31:00 +0000 Received: from mail-yw1-x114a.google.com ([2607:f8b0:4864:20::114a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1q7P4z-00AvO5-1b for linux-arm-kernel@lists.infradead.org; Thu, 08 Jun 2023 23:30:11 +0000 Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-5689bcc5f56so15342777b3.2 for ; Thu, 08 Jun 2023 16:30:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1686267008; x=1688859008; h=to:from:subject:references:mime-version:message-id:in-reply-to:date :from:to:cc:subject:date:message-id:reply-to; bh=N0KYgNGPVbef0yxFQzrQIBdU6DpVCEwayIrlyOXU5ig=; b=2tVEOfRMr9BaVlInmIrt6A8s/2SaJVEmRq0V2ofDi/ugL0FqWxUFVaSl7oU/tIkKNr iyYTqNN6gaPCB6BDG4Oar1eMUgEJzu1pJfmbSSAH9QS6oDqzi3hP3T3BIaaDXdYGtylM fslrT25m/eatU6xm7/7y2HZJh13Mp1sDozMho5OtVtalzcgWIZ3XV36U4WJJKsgxsaJM zBvMGzzY+BgMcHash2dFDF0vYoz3jRmw1vSdOAGPhbOly7L0MM94sh6yjpCMMdW1LX4+ UrgKwN0Y2LcUS3wa/aKLU2Q4oZzn3p68Qr9hudfcH23XckDQYZnScPNcvMfzPW+NzpDe I8bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686267008; x=1688859008; h=to:from:subject:references:mime-version:message-id:in-reply-to:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=N0KYgNGPVbef0yxFQzrQIBdU6DpVCEwayIrlyOXU5ig=; b=c4IzPDYKCrDaku4BRD618Ip0lw8vyCdAN7horQvUpdgwEYsR7e03ZA06IRJcebJ3pO uzBaAlzY24if/iBIcmSrJTUF3d9hgXFD2oHw5wJBIhB3XvNmiULppiKI8ygs+VB/nsR0 jlvbz7K2SO5MuiTXdHlSv5ogkuhzcTktv/EXkM+j5ZqdF5rLvwYDuXH2VPpwaOXmozGe ziGdsnnp/dz56qw3QOl0q3JXdS9p4QPjTOyXE1FiIZ3ljI2ri3J/PQJuGpX0+F7s3/3P WBtDN5TqtmfdbC3lL/69MafDfcHD+O7scf1ipFnr9Lpokkpr2xGsAAVJDtQoB8XcOIxQ WCXA== X-Gm-Message-State: AC+VfDwBQgWHdtDF74MIEct3Jrb6NbcQoImyK2gG7lzRRFpsLVrhLn9O FbkXP3Hr7RvFioRHzhdXt30bMA+qlRFR X-Google-Smtp-Source: ACHHUZ4xbu2nLPZfhvS6QmOV47vNfVRrhKEnpGCx8uSLcUdi8ahGG+FywCSAEA5a+AEVc8L9iatZo1ygXjai X-Received: from irogers.svl.corp.google.com ([2620:15c:2d4:203:c3e5:ebc6:61e5:c73f]) (user=irogers job=sendgmr) by 2002:a81:ac43:0:b0:568:9bcc:5e16 with SMTP id z3-20020a81ac43000000b005689bcc5e16mr629708ywj.2.1686267008171; Thu, 08 Jun 2023 16:30:08 -0700 (PDT) Date: Thu, 8 Jun 2023 16:28:20 -0700 In-Reply-To: <20230608232823.4027869-1-irogers@google.com> Message-Id: <20230608232823.4027869-24-irogers@google.com> Mime-Version: 1.0 References: <20230608232823.4027869-1-irogers@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Subject: [PATCH v2 23/26] perf header: Avoid out-of-bounds read From: Ian Rogers To: John Garry , Will Deacon , James Clark , Mike Leach , Leo Yan , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Ian Rogers , Adrian Hunter , Suzuki K Poulose , "Naveen N. Rao" , Kan Liang , German Gomez , Ali Saidi , Jing Zhang , Athira Rajeev , Miguel Ojeda , ye xingchen , Liam Howlett , Dmitrii Dolgov <9erthalion6@gmail.com>, Yang Jihong , K Prateek Nayak , Changbin Du , Ravi Bangoria , Sean Christopherson , Andi Kleen , "Steinar H. Gunderson" , Yuan Can , Brian Robbins , liuwenyu , Ivan Babrou , Fangrui Song , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-perf-users@vger.kernel.org, coresight@lists.linaro.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230608_163009_564413_4D9BBD2D X-CRM114-Status: GOOD ( 15.83 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org intel-pt tests were failing: ``` ... --- Test virtual LBR --- Linux [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.126 MB /tmp/perf-test-intel-pt-sh.FW57CXnCqQ/test-perf.data ] Failed with virtual lbr ... ``` The root cause is an out-of-bounds read in header (where maxbrstack.py is from test_intel_pt.sh): ``` $ perf --no-pager script --itrace=L -s maxbrstack.py ================================================================= ==3907930==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000095a8 at pc 0x563c26c840bb bp 0x7fff43582710 sp 0x7fff43582708 READ of size 4 at 0x6020000095a8 thread T0 #0 0x563c26c840ba in process_group_desc util/header.c:2847 #1 0x563c26c8bc78 in perf_file_section__process util/header.c:4037 #2 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813 #3 0x563c26c8d028 in perf_session__read_header util/header.c:4286 #4 0x563c26cbab29 in perf_session__open util/session.c:113 #5 0x563c26cbb3d0 in __perf_session__new util/session.c:221 #6 0x563c26aacb14 in perf_session__new util/session.h:73 #7 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212 #8 0x563c26bb58ff in run_builtin tools/perf/perf.c:323 #9 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377 #10 0x563c26bb6238 in run_argv tools/perf/perf.c:421 #11 0x563c26bb67a0 in main tools/perf/perf.c:537 #12 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #13 0x7f34bde46244 in __libc_start_main_impl ../csu/libc-start.c:381 #14 0x563c26a33390 in _start (/tmp/perf/perf+0x1eb390) 0x6020000095a8 is located 8 bytes to the right of 16-byte region [0x602000009590,0x6020000095a0) allocated by thread T0 here: #0 0x7f34beeb83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x563c26c83df8 in process_group_desc util/header.c:2824 #2 0x563c26c8bc78 in perf_file_section__process util/header.c:4037 #3 0x563c26c8aa9b in perf_header__process_sections util/header.c:3813 #4 0x563c26c8d028 in perf_session__read_header util/header.c:4286 #5 0x563c26cbab29 in perf_session__open util/session.c:113 #6 0x563c26cbb3d0 in __perf_session__new util/session.c:221 #7 0x563c26aacb14 in perf_session__new util/session.h:73 #8 0x563c26acf7f1 in cmd_script tools/perf/builtin-script.c:4212 #9 0x563c26bb58ff in run_builtin tools/perf/perf.c:323 #10 0x563c26bb5e70 in handle_internal_command tools/perf/perf.c:377 #11 0x563c26bb6238 in run_argv tools/perf/perf.c:421 #12 0x563c26bb67a0 in main tools/perf/perf.c:537 #13 0x7f34bde46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 ``` Avoid the out-of-bounds read checking for the leader. Leave the 'nr' check intact as nr will be 0 or the counting down and evsel be a group member. Signed-off-by: Ian Rogers --- tools/perf/util/header.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index 3db7c1fae71e..52fbf526fe74 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -2844,7 +2844,7 @@ static int process_group_desc(struct feat_fd *ff, void *data __maybe_unused) i = nr = 0; evlist__for_each_entry(session->evlist, evsel) { - if (evsel->core.idx == (int) desc[i].leader_idx) { + if (i < nr_groups && evsel->core.idx == (int) desc[i].leader_idx) { evsel__set_leader(evsel, evsel); /* {anon_group} is a dummy name */ if (strcmp(desc[i].name, "{anon_group}")) { -- 2.41.0.162.gfafddb0af9-goog _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel