From: Arnaldo Carvalho de Melo <acme@redhat.com>
To: Anton Blanchard <anton@samba.org>
Cc: paulus@samba.org, peterz@infradead.org, mingo@elte.hu,
dsahern@gmail.com, fweisbec@gmail.com,
yanmin_zhang@linux.intel.com, emunson@mgebm.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] perf: Incorrect use of snprintf results in SEGV
Date: Tue, 6 Mar 2012 22:09:04 -0300 [thread overview]
Message-ID: <20120307010904.GE5656@infradead.org> (raw)
In-Reply-To: <20120307114249.44275ca3@kryten>
Em Wed, Mar 07, 2012 at 11:42:49AM +1100, Anton Blanchard escreveu:
>
> I have a workload where perf top scribbles over the stack and we
> SEGV. What makes it interesting is that an snprintf is causing this.
>
> The workload is a c++ gem that has method names over 3000 characters
> long, but snprintf is designed to avoid overrunning buffers. So what
> went wrong?
>
> The problem is we assume snprintf returns the number of characters
> written:
>
> ret += repsep_snprintf(bf + ret, size - ret, "[%c] ", self->level);
> ...
> ret += repsep_snprintf(bf + ret, size - ret, "%s", self->ms.sym->name);
>
> Unfortunately this is not how snprintf works. snprintf returns the
> number of characters that would have been written if there was enough
> space. In the above case, if the first snprintf returns a value larger
> than size, we pass a negative size into the second snprintf and
> happily scribble over the stack. If you have 3000 character c++
> methods thats a lot of stack to trample.
>
> This patch fixes repsep_snprintf by clamping the value at size - 1
> which is the maximum snprintf can write before adding the NULL
> terminator.
>
> I get the sinking feeling that there are a lot of other uses of
> snprintf that have this same bug, we should audit them all.
Indeed, I wonder what kind of crack pipe I was smoking when I read the
snprintf man page.
Or what kind of such pipe the people who designed snprintf were using
:-(
>
> Signed-off-by: Anton Blanchard <anton@samba.org>
> Cc: stable@kernel.org
> ---
>
> Index: linux-build/tools/perf/util/sort.c
> ===================================================================
> --- linux-build.orig/tools/perf/util/sort.c 2012-03-07 10:58:57.502318907 +1100
> +++ linux-build/tools/perf/util/sort.c 2012-03-07 11:00:58.812423271 +1100
> @@ -33,6 +33,9 @@ static int repsep_snprintf(char *bf, siz
> }
> }
> va_end(ap);
> +
> + if (n >= (int)size)
> + return size - 1;
> return n;
> }
>
next prev parent reply other threads:[~2012-03-07 1:09 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-07 0:42 [PATCH] perf: Incorrect use of snprintf results in SEGV Anton Blanchard
2012-03-07 0:49 ` Peter Seebach
2012-03-07 1:09 ` Arnaldo Carvalho de Melo [this message]
2012-03-07 1:29 ` Peter Seebach
2012-03-07 18:44 ` Nick Bowler
2012-03-07 20:24 ` Peter Seebach
2012-03-07 20:37 ` Ingo Molnar
2012-03-07 20:59 ` Peter Zijlstra
2012-03-07 21:28 ` Peter Seebach
2012-03-08 7:34 ` Ingo Molnar
2012-03-08 8:51 ` Peter Seebach
2012-03-07 21:19 ` Peter Seebach
2012-03-08 0:58 ` Arnaldo Carvalho de Melo
2012-03-08 7:48 ` Ingo Molnar
2012-03-08 7:52 ` Ingo Molnar
2012-03-09 19:00 ` Peter Seebach
2012-03-14 19:59 ` [tip:perf/urgent] perf tools: " tip-bot for Anton Blanchard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120307010904.GE5656@infradead.org \
--to=acme@redhat.com \
--cc=anton@samba.org \
--cc=dsahern@gmail.com \
--cc=emunson@mgebm.net \
--cc=fweisbec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=yanmin_zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox