From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Andi Kleen <ak@linux.intel.com>
Cc: linux-perf-users@vger.kernel.org, adrian.hunter@intel.com,
namhyung@kernel.org
Subject: Re: [PATCH v1 01/10] perf: Avoid buffer overflow in python register interface
Date: Thu, 12 Sep 2024 09:41:55 -0300 [thread overview]
Message-ID: <ZuLhk6yGrr2HET6d@x1> (raw)
In-Reply-To: <20240905015300.2124798-2-ak@linux.intel.com>
On Wed, Sep 04, 2024 at 06:50:09PM -0700, Andi Kleen wrote:
> Running a script that processes PEBS records gives buffer overflows
> in valgrind. The problem is that the allocation of the register
> string doesn't include the terminating 0 byte. Fix this. I also replaced
> the very magic "28" with a more reasonable larger buffer that should
> fit all registers. There's no need to conserve memory here.
I applied this one already.
But you used the wrong list address, perf-tools-users@vger, I'm fixing
this up now to linux-perf-users@vger so that the message reaches the
mailing list.
I waited a bit for reviewers but then realized the problem with the list
address when trying to use b4 to fetch it from lore :-\
- Arnaldo
> ==2106591== Memcheck, a memory error detector
> ==2106591== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
> ==2106591== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
> ==2106591== Command: ../perf script -i tcall.data gcov.py tcall.gcov
> ==2106591==
> ==2106591== Invalid write of size 1
> ==2106591== at 0x713354: regs_map (trace-event-python.c:748)
> ==2106591== by 0x7134EB: set_regs_in_dict (trace-event-python.c:784)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> ==2106591== Invalid read of size 1
> ==2106591== at 0x484B6C6: strlen (vg_replace_strmem.c:502)
> ==2106591== by 0x555D494: PyUnicode_FromString (unicodeobject.c:1899)
> ==2106591== by 0x7134F7: set_regs_in_dict (trace-event-python.c:786)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> ==2106591== Invalid write of size 1
> ==2106591== at 0x713354: regs_map (trace-event-python.c:748)
> ==2106591== by 0x713539: set_regs_in_dict (trace-event-python.c:789)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> ==2106591== Invalid read of size 1
> ==2106591== at 0x484B6C6: strlen (vg_replace_strmem.c:502)
> ==2106591== by 0x555D494: PyUnicode_FromString (unicodeobject.c:1899)
> ==2106591== by 0x713545: set_regs_in_dict (trace-event-python.c:791)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
> ==2106591== at 0x484280F: malloc (vg_replace_malloc.c:442)
> ==2106591== by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
> ==2106591== by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
> ==2106591== by 0x716327: python_process_general_event (trace-event-python.c:1499)
> ==2106591== by 0x7164E1: python_process_event (trace-event-python.c:1531)
> ==2106591== by 0x44F9AF: process_sample_event (builtin-script.c:2549)
> ==2106591== by 0x6294DC: evlist__deliver_sample (session.c:1534)
> ==2106591== by 0x6296D0: machines__deliver_event (session.c:1573)
> ==2106591== by 0x629C39: perf_session__deliver_event (session.c:1655)
> ==2106591== by 0x625830: ordered_events__deliver_event (session.c:193)
> ==2106591== by 0x630B23: do_flush (ordered-events.c:245)
> ==2106591== by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
> ==2106591==
> 73056 total, 29 ignored
>
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> ---
> .../perf/util/scripting-engines/trace-event-python.c | 11 +++--------
> 1 file changed, 3 insertions(+), 8 deletions(-)
>
> diff --git a/tools/perf/util/scripting-engines/trace-event-python.c b/tools/perf/util/scripting-engines/trace-event-python.c
> index 6971dd6c231f..d7183134b669 100644
> --- a/tools/perf/util/scripting-engines/trace-event-python.c
> +++ b/tools/perf/util/scripting-engines/trace-event-python.c
> @@ -762,6 +762,8 @@ static void regs_map(struct regs_dump *regs, uint64_t mask, const char *arch, ch
> }
> }
>
> +#define MAX_REG_SIZE 128
> +
> static int set_regs_in_dict(PyObject *dict,
> struct perf_sample *sample,
> struct evsel *evsel)
> @@ -769,14 +771,7 @@ static int set_regs_in_dict(PyObject *dict,
> struct perf_event_attr *attr = &evsel->core.attr;
> const char *arch = perf_env__arch(evsel__env(evsel));
>
> - /*
> - * Here value 28 is a constant size which can be used to print
> - * one register value and its corresponds to:
> - * 16 chars is to specify 64 bit register in hexadecimal.
> - * 2 chars is for appending "0x" to the hexadecimal value and
> - * 10 chars is for register name.
> - */
> - int size = __sw_hweight64(attr->sample_regs_intr) * 28;
> + int size = (__sw_hweight64(attr->sample_regs_intr) * MAX_REG_SIZE) + 1;
> char *bf = malloc(size);
> if (!bf)
> return -1;
> --
> 2.45.2
next parent reply other threads:[~2024-09-12 12:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240905015300.2124798-1-ak@linux.intel.com>
[not found] ` <20240905015300.2124798-2-ak@linux.intel.com>
2024-09-12 12:41 ` Arnaldo Carvalho de Melo [this message]
2024-09-12 14:38 ` [PATCH v1 01/10] perf: Avoid buffer overflow in python register interface Andi Kleen
2024-09-12 14:53 ` Arnaldo Carvalho de Melo
[not found] ` <20240905015300.2124798-3-ak@linux.intel.com>
2024-09-12 12:51 ` [PATCH v1 02/10] perf: Support discriminator in addr2line Arnaldo Carvalho de Melo
2024-09-12 14:58 ` Andi Kleen
2024-09-05 15:07 [RESEND] More dwarf support in python interface Andi Kleen
2024-09-05 15:07 ` [PATCH v1 01/10] perf: Avoid buffer overflow in python register interface Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuLhk6yGrr2HET6d@x1 \
--to=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ak@linux.intel.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=namhyung@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).