perf-probe crash in dwarf_getcfi_elf

perf-probe crash in dwarf_getcfi_elf

[David Ahern]

Hi Namhyung:

Using perf-probe from top of Linus' tree I get a segfault on both Fedora 
16 and 18 (does not crash on Fedora 20). Command used is:

perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'

git bisect points to:

commit 03d89412981a7681971bc77edba1669595763030
Author: Namhyung Kim <namhyung@kernel.org>
Date:   Mon Apr 7 16:05:48 2014 +0900

     perf probe: Use dwarf_getcfi_elf() instead of dwarf_getcfi()


Backtrace at time of crash is:

(gdb) bt
#0  parse_eh_frame_hdr (hdr=0x0, hdr_size=2596, hdr_vaddr=71788, 
ehdr=0x7fffffffd390, eh_frame_vaddr=
     0x7fffffffd378, table_entries=0x8808d8, table_encoding=0x8808e0 "") 
at dwarf_getcfi_elf.c:79
#1  0x000000385f81615a in getcfi_scn_eh_frame (hdr_vaddr=71788, 
hdr_scn=0x8839b0, shdr=0x7fffffffd2f0,
     scn=<optimized out>, ehdr=0x7fffffffd390, elf=0x882b30) at 
dwarf_getcfi_elf.c:231
#2  getcfi_shdr (ehdr=0x7fffffffd390, elf=0x882b30) at 
dwarf_getcfi_elf.c:283
#3  dwarf_getcfi_elf (elf=0x882b30) at dwarf_getcfi_elf.c:309
#4  0x00000000004d5bac in debuginfo__find_probes (pf=0x7fffffffd4f0, 
dbg=Unhandled dwarf expression opcode 0xfa
) at util/probe-finder.c:993
#5  0x00000000004d634a in debuginfo__find_trace_events (dbg=0x880840, 
pev=<optimized out>, tevs=0x880f88,
     max_tevs=<optimized out>) at util/probe-finder.c:1200
#6  0x00000000004aed6b in try_to_find_probe_trace_events 
(target=0x881b20 "/lib64/libpthread-2.14.90.so",
     max_tevs=128, tevs=0x880f88, pev=0x859b30) at util/probe-event.c:482
#7  convert_to_probe_trace_events (target=0x881b20 
"/lib64/libpthread-2.14.90.so", max_tevs=128, tevs=0x880f88,
     pev=0x859b30) at util/probe-event.c:2356
#8  add_perf_probe_events (pevs=<optimized out>, npevs=1, max_tevs=128, 
target=
     0x881b20 "/lib64/libpthread-2.14.90.so", force_add=false) at 
util/probe-event.c:2391
#9  0x000000000044014f in __cmd_probe (argc=<optimized out>, 
argv=0x7fffffffe2f0, prefix=Unhandled dwarf expression opcode 0xfa
)
     at builtin-probe.c:488
#10 0x0000000000440313 in cmd_probe (argc=5, argv=0x7fffffffe2f0, 
prefix=<optimized out>) at builtin-probe.c:506
#11 0x000000000041d133 in run_builtin (p=0x805680, argc=5, 
argv=0x7fffffffe2f0) at perf.c:341
#12 0x000000000041c8b2 in handle_internal_command (argv=<optimized out>, 
argc=<optimized out>) at perf.c:400
#13 run_argv (argv=<optimized out>, argcp=<optimized out>) at perf.c:444
#14 main (argc=5, argv=0x7fffffffe2f0) at perf.c:559

David

Re: perf-probe crash in dwarf_getcfi_elf

[Namhyung Kim]

On Mon, Dec 29, 2014 at 09:39:18PM -0700, David Ahern wrote:
> Hi Namhyung:
> 
> Using perf-probe from top of Linus' tree I get a segfault on both Fedora 16
> and 18 (does not crash on Fedora 20). Command used is:
> 
> perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'
> 
> git bisect points to:
> 
> commit 03d89412981a7681971bc77edba1669595763030
> Author: Namhyung Kim <namhyung@kernel.org>
> Date:   Mon Apr 7 16:05:48 2014 +0900
> 
>     perf probe: Use dwarf_getcfi_elf() instead of dwarf_getcfi()
> 

It seems to be related to below commit in elfutils.  We might need to
check .eh_frame section has SHT_PROGBITS.  Will send a patch soon.

Thanks,
Namhyung


  commit 5704c8c4fa717b6e9c2d2e4304dfbc810ad42e4b
  Author: Mark Wielaard <mjw@redhat.com>
  Date:   Tue Jul 2 11:22:35 2013 +0200

    getcfi_scn_eh_frame: Don't crash and burn when .eh_frame bits aren't there.

    Trying to read non-existing bits sometimes works and normally a sanity
    check will fail. But it could also lead to an unexpected crash much later
    when trying to use the non-existing data.

    Signed-off-by: Mark Wielaard <mjw@redhat.com>

  diff --git a/libdw/ChangeLog b/libdw/ChangeLog
  index 700c166..22f8b0c 100644
  --- a/libdw/ChangeLog
  +++ b/libdw/ChangeLog
  @@ -1,3 +1,7 @@
  +2013-07-02  Mark Wielaard  <mjw@redhat.com>
  +
  +       * dwarf_getcfi_elf.c (getcfi_shdr): Check sh_type == SHT_PROGBITS.
  +
   2013-06-26  Mark Wielaard  <mjw@redhat.com>
  
          * libdw_visit_scopes.c (__libdw_visit_scopes): Don't reject root
  diff --git a/libdw/dwarf_getcfi_elf.c b/libdw/dwarf_getcfi_elf.c
  index ba00e05..a423ef3 100644
  --- a/libdw/dwarf_getcfi_elf.c
  +++ b/libdw/dwarf_getcfi_elf.c
  @@ -280,8 +280,13 @@ getcfi_shdr (Elf *elf, const GElf_Ehdr *ehdr)
                hdr_vaddr = shdr->sh_addr;
              }
            else if (!strcmp (name, ".eh_frame"))
  -           return getcfi_scn_eh_frame (elf, ehdr, scn, shdr,
  -                                       hdr_scn, hdr_vaddr);
  +           {
  +             if (shdr->sh_type == SHT_PROGBITS)
  +               return getcfi_scn_eh_frame (elf, ehdr, scn, shdr,
  +                                           hdr_scn, hdr_vaddr);
  +             else
  +               return NULL;
  +           }
            }
          }



> Backtrace at time of crash is:
> 
> (gdb) bt
> #0  parse_eh_frame_hdr (hdr=0x0, hdr_size=2596, hdr_vaddr=71788,
> ehdr=0x7fffffffd390, eh_frame_vaddr=
>     0x7fffffffd378, table_entries=0x8808d8, table_encoding=0x8808e0 "") at
> dwarf_getcfi_elf.c:79
> #1  0x000000385f81615a in getcfi_scn_eh_frame (hdr_vaddr=71788,
> hdr_scn=0x8839b0, shdr=0x7fffffffd2f0,
>     scn=<optimized out>, ehdr=0x7fffffffd390, elf=0x882b30) at
> dwarf_getcfi_elf.c:231
> #2  getcfi_shdr (ehdr=0x7fffffffd390, elf=0x882b30) at
> dwarf_getcfi_elf.c:283
> #3  dwarf_getcfi_elf (elf=0x882b30) at dwarf_getcfi_elf.c:309
> #4  0x00000000004d5bac in debuginfo__find_probes (pf=0x7fffffffd4f0,
> dbg=Unhandled dwarf expression opcode 0xfa
> ) at util/probe-finder.c:993
> #5  0x00000000004d634a in debuginfo__find_trace_events (dbg=0x880840,
> pev=<optimized out>, tevs=0x880f88,
>     max_tevs=<optimized out>) at util/probe-finder.c:1200
> #6  0x00000000004aed6b in try_to_find_probe_trace_events (target=0x881b20
> "/lib64/libpthread-2.14.90.so",
>     max_tevs=128, tevs=0x880f88, pev=0x859b30) at util/probe-event.c:482
> #7  convert_to_probe_trace_events (target=0x881b20
> "/lib64/libpthread-2.14.90.so", max_tevs=128, tevs=0x880f88,
>     pev=0x859b30) at util/probe-event.c:2356
> #8  add_perf_probe_events (pevs=<optimized out>, npevs=1, max_tevs=128,
> target=
>     0x881b20 "/lib64/libpthread-2.14.90.so", force_add=false) at
> util/probe-event.c:2391
> #9  0x000000000044014f in __cmd_probe (argc=<optimized out>,
> argv=0x7fffffffe2f0, prefix=Unhandled dwarf expression opcode 0xfa
> )
>     at builtin-probe.c:488
> #10 0x0000000000440313 in cmd_probe (argc=5, argv=0x7fffffffe2f0,
> prefix=<optimized out>) at builtin-probe.c:506
> #11 0x000000000041d133 in run_builtin (p=0x805680, argc=5,
> argv=0x7fffffffe2f0) at perf.c:341
> #12 0x000000000041c8b2 in handle_internal_command (argv=<optimized out>,
> argc=<optimized out>) at perf.c:400
> #13 run_argv (argv=<optimized out>, argcp=<optimized out>) at perf.c:444
> #14 main (argc=5, argv=0x7fffffffe2f0) at perf.c:559
> 
> David
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: perf-probe crash in dwarf_getcfi_elf

[Namhyung Kim]

On Tue, Dec 30, 2014 at 05:47:08PM +0900, Namhyung Kim wrote:
> On Mon, Dec 29, 2014 at 09:39:18PM -0700, David Ahern wrote:
> > Hi Namhyung:
> > 
> > Using perf-probe from top of Linus' tree I get a segfault on both Fedora 16
> > and 18 (does not crash on Fedora 20). Command used is:
> > 
> > perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'
> > 
> > git bisect points to:
> > 
> > commit 03d89412981a7681971bc77edba1669595763030
> > Author: Namhyung Kim <namhyung@kernel.org>
> > Date:   Mon Apr 7 16:05:48 2014 +0900
> > 
> >     perf probe: Use dwarf_getcfi_elf() instead of dwarf_getcfi()
> > 
> 
> It seems to be related to below commit in elfutils.  We might need to
> check .eh_frame section has SHT_PROGBITS.  Will send a patch soon.


>From f56964e74d60a9921214d0e2e5c3d082f5a910c1 Mon Sep 17 00:00:00 2001
From: Namhyung Kim <namhyung@kernel.org>
Date: Tue, 30 Dec 2014 17:47:47 +0900
Subject: [PATCH] perf probe: Fix a segfault on old libdw

David reported that perf can segfault when adding an uprobe event like
this:

  $ perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'

  (gdb) bt
  #0  parse_eh_frame_hdr (hdr=0x0, hdr_size=2596, hdr_vaddr=71788,
      ehdr=0x7fffffffd390, eh_frame_vaddr=
      0x7fffffffd378, table_entries=0x8808d8, table_encoding=0x8808e0 "") at
      dwarf_getcfi_elf.c:79
  #1  0x000000385f81615a in getcfi_scn_eh_frame (hdr_vaddr=71788,
      hdr_scn=0x8839b0, shdr=0x7fffffffd2f0, scn=<optimized out>,
      ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:231
  #2  getcfi_shdr (ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:283
  #3  dwarf_getcfi_elf (elf=0x882b30) at dwarf_getcfi_elf.c:309
  #4  0x00000000004d5bac in debuginfo__find_probes (pf=0x7fffffffd4f0,
      dbg=Unhandled dwarf expression opcode 0xfa) at util/probe-finder.c:993
  #5  0x00000000004d634a in debuginfo__find_trace_events (dbg=0x880840,
      pev=<optimized out>, tevs=0x880f88, max_tevs=<optimized out>) at
      util/probe-finder.c:1200
  #6  0x00000000004aed6b in try_to_find_probe_trace_events (target=0x881b20
      "/lib64/libpthread-2.14.90.so",
      max_tevs=128, tevs=0x880f88, pev=0x859b30) at util/probe-event.c:482
  #7  convert_to_probe_trace_events (target=0x881b20
      "/lib64/libpthread-2.14.90.so", max_tevs=128, tevs=0x880f88,
      pev=0x859b30) at util/probe-event.c:2356
  #8  add_perf_probe_events (pevs=<optimized out>, npevs=1, max_tevs=128,
      target=0x881b20 "/lib64/libpthread-2.14.90.so", force_add=false) at
      util/probe-event.c:2391
  #9  0x000000000044014f in __cmd_probe (argc=<optimized out>,
      argv=0x7fffffffe2f0, prefix=Unhandled dwarf expression opcode 0xfa) at
      at builtin-probe.c:488
  #10 0x0000000000440313 in cmd_probe (argc=5, argv=0x7fffffffe2f0,
      prefix=<optimized out>) at builtin-probe.c:506
  #11 0x000000000041d133 in run_builtin (p=0x805680, argc=5,
      argv=0x7fffffffe2f0) at perf.c:341
  #12 0x000000000041c8b2 in handle_internal_command (argv=<optimized out>,
      argc=<optimized out>) at perf.c:400
  #13 run_argv (argv=<optimized out>, argcp=<optimized out>) at perf.c:444
  #14 main (argc=5, argv=0x7fffffffe2f0) at perf.c:559

And I found a related commit (5704c8c4fa71 "getcfi_scn_eh_frame: Don't
crash and burn when .eh_frame bits aren't there.") in elfutils that
can lead to a unexpected crash like this.  To safely use the function,
it needs to check the .eh_frame section is a PROGBITS type.

Reported-by: David Ahern <dsahern@gmail.com>
Cc: Mark Wielaard <mjw@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
---
 tools/perf/util/probe-finder.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
index c7918f83b300..b5247d777f0e 100644
--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -989,8 +989,24 @@ static int debuginfo__find_probes(struct debuginfo *dbg,
 	int ret = 0;
 
 #if _ELFUTILS_PREREQ(0, 142)
+	Elf *elf;
+	GElf_Ehdr ehdr;
+	GElf_Shdr shdr;
+
 	/* Get the call frame information from this dwarf */
-	pf->cfi = dwarf_getcfi_elf(dwarf_getelf(dbg->dbg));
+	elf = dwarf_getelf(dbg->dbg);
+	if (elf == NULL)
+		return -EINVAL;
+
+	if (gelf_getehdr(elf, &ehdr) == NULL)
+		return -EINVAL;
+
+	if (elf_section_by_name(elf, &ehdr, &shdr, ".eh_frame", NULL) &&
+	    shdr.sh_type == SHT_PROGBITS) {
+		pf->cfi = dwarf_getcfi_elf(elf);
+	} else {
+		pf->cfi = dwarf_getcfi(dbg->dbg);
+	}
 #endif
 
 	off = 0;
-- 
2.1.3

Re: perf-probe crash in dwarf_getcfi_elf

[David Ahern]

On 12/30/14 2:05 AM, Namhyung Kim wrote:
>  From f56964e74d60a9921214d0e2e5c3d082f5a910c1 Mon Sep 17 00:00:00 2001
> From: Namhyung Kim <namhyung@kernel.org>
> Date: Tue, 30 Dec 2014 17:47:47 +0900
> Subject: [PATCH] perf probe: Fix a segfault on old libdw
>
> David reported that perf can segfault when adding an uprobe event like
> this:
>
>    $ perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'
>
>    (gdb) bt
>    #0  parse_eh_frame_hdr (hdr=0x0, hdr_size=2596, hdr_vaddr=71788,
>        ehdr=0x7fffffffd390, eh_frame_vaddr=
>        0x7fffffffd378, table_entries=0x8808d8, table_encoding=0x8808e0 "") at
>        dwarf_getcfi_elf.c:79
>    #1  0x000000385f81615a in getcfi_scn_eh_frame (hdr_vaddr=71788,
>        hdr_scn=0x8839b0, shdr=0x7fffffffd2f0, scn=<optimized out>,
>        ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:231
>    #2  getcfi_shdr (ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:283
>    #3  dwarf_getcfi_elf (elf=0x882b30) at dwarf_getcfi_elf.c:309
>    #4  0x00000000004d5bac in debuginfo__find_probes (pf=0x7fffffffd4f0,
>        dbg=Unhandled dwarf expression opcode 0xfa) at util/probe-finder.c:993
>    #5  0x00000000004d634a in debuginfo__find_trace_events (dbg=0x880840,
>        pev=<optimized out>, tevs=0x880f88, max_tevs=<optimized out>) at
>        util/probe-finder.c:1200
>    #6  0x00000000004aed6b in try_to_find_probe_trace_events (target=0x881b20
>        "/lib64/libpthread-2.14.90.so",
>        max_tevs=128, tevs=0x880f88, pev=0x859b30) at util/probe-event.c:482
>    #7  convert_to_probe_trace_events (target=0x881b20
>        "/lib64/libpthread-2.14.90.so", max_tevs=128, tevs=0x880f88,
>        pev=0x859b30) at util/probe-event.c:2356
>    #8  add_perf_probe_events (pevs=<optimized out>, npevs=1, max_tevs=128,
>        target=0x881b20 "/lib64/libpthread-2.14.90.so", force_add=false) at
>        util/probe-event.c:2391
>    #9  0x000000000044014f in __cmd_probe (argc=<optimized out>,
>        argv=0x7fffffffe2f0, prefix=Unhandled dwarf expression opcode 0xfa) at
>        at builtin-probe.c:488
>    #10 0x0000000000440313 in cmd_probe (argc=5, argv=0x7fffffffe2f0,
>        prefix=<optimized out>) at builtin-probe.c:506
>    #11 0x000000000041d133 in run_builtin (p=0x805680, argc=5,
>        argv=0x7fffffffe2f0) at perf.c:341
>    #12 0x000000000041c8b2 in handle_internal_command (argv=<optimized out>,
>        argc=<optimized out>) at perf.c:400
>    #13 run_argv (argv=<optimized out>, argcp=<optimized out>) at perf.c:444
>    #14 main (argc=5, argv=0x7fffffffe2f0) at perf.c:559
>
> And I found a related commit (5704c8c4fa71 "getcfi_scn_eh_frame: Don't
> crash and burn when .eh_frame bits aren't there.") in elfutils that
> can lead to a unexpected crash like this.  To safely use the function,
> it needs to check the .eh_frame section is a PROGBITS type.
>
> Reported-by: David Ahern <dsahern@gmail.com>
> Cc: Mark Wielaard <mjw@redhat.com>
> Signed-off-by: Namhyung Kim <namhyung@kernel.org>

Solves the crash for me.

Tested-by: David Ahern <dsahern@gmail.com>

Thanks for the quick response, Namhyung.

David

Re: Re: perf-probe crash in dwarf_getcfi_elf

[Masami Hiramatsu]

(2014/12/30 18:05), Namhyung Kim wrote:
> On Tue, Dec 30, 2014 at 05:47:08PM +0900, Namhyung Kim wrote:
>> On Mon, Dec 29, 2014 at 09:39:18PM -0700, David Ahern wrote:
>>> Hi Namhyung:
>>>
>>> Using perf-probe from top of Linus' tree I get a segfault on both Fedora 16
>>> and 18 (does not crash on Fedora 20). Command used is:
>>>
>>> perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'
>>>
>>> git bisect points to:
>>>
>>> commit 03d89412981a7681971bc77edba1669595763030
>>> Author: Namhyung Kim <namhyung@kernel.org>
>>> Date:   Mon Apr 7 16:05:48 2014 +0900
>>>
>>>     perf probe: Use dwarf_getcfi_elf() instead of dwarf_getcfi()
>>>
>>
>> It seems to be related to below commit in elfutils.  We might need to
>> check .eh_frame section has SHT_PROGBITS.  Will send a patch soon.
> 
> 
>>From f56964e74d60a9921214d0e2e5c3d082f5a910c1 Mon Sep 17 00:00:00 2001
> From: Namhyung Kim <namhyung@kernel.org>
> Date: Tue, 30 Dec 2014 17:47:47 +0900
> Subject: [PATCH] perf probe: Fix a segfault on old libdw
> 
> David reported that perf can segfault when adding an uprobe event like
> this:
> 
>   $ perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'
> 
>   (gdb) bt
>   #0  parse_eh_frame_hdr (hdr=0x0, hdr_size=2596, hdr_vaddr=71788,
>       ehdr=0x7fffffffd390, eh_frame_vaddr=
>       0x7fffffffd378, table_entries=0x8808d8, table_encoding=0x8808e0 "") at
>       dwarf_getcfi_elf.c:79
>   #1  0x000000385f81615a in getcfi_scn_eh_frame (hdr_vaddr=71788,
>       hdr_scn=0x8839b0, shdr=0x7fffffffd2f0, scn=<optimized out>,
>       ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:231
>   #2  getcfi_shdr (ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:283
>   #3  dwarf_getcfi_elf (elf=0x882b30) at dwarf_getcfi_elf.c:309
>   #4  0x00000000004d5bac in debuginfo__find_probes (pf=0x7fffffffd4f0,
>       dbg=Unhandled dwarf expression opcode 0xfa) at util/probe-finder.c:993
>   #5  0x00000000004d634a in debuginfo__find_trace_events (dbg=0x880840,
>       pev=<optimized out>, tevs=0x880f88, max_tevs=<optimized out>) at
>       util/probe-finder.c:1200
>   #6  0x00000000004aed6b in try_to_find_probe_trace_events (target=0x881b20
>       "/lib64/libpthread-2.14.90.so",
>       max_tevs=128, tevs=0x880f88, pev=0x859b30) at util/probe-event.c:482
>   #7  convert_to_probe_trace_events (target=0x881b20
>       "/lib64/libpthread-2.14.90.so", max_tevs=128, tevs=0x880f88,
>       pev=0x859b30) at util/probe-event.c:2356
>   #8  add_perf_probe_events (pevs=<optimized out>, npevs=1, max_tevs=128,
>       target=0x881b20 "/lib64/libpthread-2.14.90.so", force_add=false) at
>       util/probe-event.c:2391
>   #9  0x000000000044014f in __cmd_probe (argc=<optimized out>,
>       argv=0x7fffffffe2f0, prefix=Unhandled dwarf expression opcode 0xfa) at
>       at builtin-probe.c:488
>   #10 0x0000000000440313 in cmd_probe (argc=5, argv=0x7fffffffe2f0,
>       prefix=<optimized out>) at builtin-probe.c:506
>   #11 0x000000000041d133 in run_builtin (p=0x805680, argc=5,
>       argv=0x7fffffffe2f0) at perf.c:341
>   #12 0x000000000041c8b2 in handle_internal_command (argv=<optimized out>,
>       argc=<optimized out>) at perf.c:400
>   #13 run_argv (argv=<optimized out>, argcp=<optimized out>) at perf.c:444
>   #14 main (argc=5, argv=0x7fffffffe2f0) at perf.c:559
> 
> And I found a related commit (5704c8c4fa71 "getcfi_scn_eh_frame: Don't
> crash and burn when .eh_frame bits aren't there.") in elfutils that
> can lead to a unexpected crash like this.  To safely use the function,
> it needs to check the .eh_frame section is a PROGBITS type.
> 

Looks good to me :)

> Reported-by: David Ahern <dsahern@gmail.com>
> Cc: Mark Wielaard <mjw@redhat.com>
> Signed-off-by: Namhyung Kim <namhyung@kernel.org>

Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>

Thank you!

> ---
>  tools/perf/util/probe-finder.c | 18 +++++++++++++++++-
>  1 file changed, 17 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
> index c7918f83b300..b5247d777f0e 100644
> --- a/tools/perf/util/probe-finder.c
> +++ b/tools/perf/util/probe-finder.c
> @@ -989,8 +989,24 @@ static int debuginfo__find_probes(struct debuginfo *dbg,
>  	int ret = 0;
>  
>  #if _ELFUTILS_PREREQ(0, 142)
> +	Elf *elf;
> +	GElf_Ehdr ehdr;
> +	GElf_Shdr shdr;
> +
>  	/* Get the call frame information from this dwarf */
> -	pf->cfi = dwarf_getcfi_elf(dwarf_getelf(dbg->dbg));
> +	elf = dwarf_getelf(dbg->dbg);
> +	if (elf == NULL)
> +		return -EINVAL;
> +
> +	if (gelf_getehdr(elf, &ehdr) == NULL)
> +		return -EINVAL;
> +
> +	if (elf_section_by_name(elf, &ehdr, &shdr, ".eh_frame", NULL) &&
> +	    shdr.sh_type == SHT_PROGBITS) {
> +		pf->cfi = dwarf_getcfi_elf(elf);
> +	} else {
> +		pf->cfi = dwarf_getcfi(dbg->dbg);
> +	}
>  #endif
>  
>  	off = 0;
> 


-- 
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Research Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@hitachi.com

Re: perf-probe crash in dwarf_getcfi_elf

[Mark Wielaard]

On Tue, Dec 30, 2014 at 06:05:33PM +0900, Namhyung Kim wrote:
> And I found a related commit (5704c8c4fa71 "getcfi_scn_eh_frame: Don't
> crash and burn when .eh_frame bits aren't there.") in elfutils that
> can lead to a unexpected crash like this.  To safely use the function,
> it needs to check the .eh_frame section is a PROGBITS type.

Sorry about that bug. It was fixed in elfutils 0.156, released July 2013.
Latest elfutils release is 0.161.

Checking .eh_frame is SHT_PROGBITS (and not SHT_NOBITS) looks like the
correct workaround if you have to deal with older elfutils releases.

Note that dwarf_getcfi_elf gets the CFI information from the .eh_frame
section associated with the ELF file underlying the Dwarf dbg and needs
to be released with a call to dwarf_cfi_end (). dwarf_getcfi () gets the
CFI information from the .debug_frame section data of the Dwarf dbg
and gets automatically releassed when dwarf_end () is called (you should
not call dwarf_cfi_end () on the result).

If the Dwarf dbg handle is associated with a separate debuginfo file,
then the .eh_frame section data will not be available (has SHT_NOBITS)
and you can get the .eh_frame section (and call dwarf_getcfi_elf ()) on
the original ELF file from which the Dwarf debuginfo file was split off.

In your patch you call dwarf_getcfi () as backup to get some CFI
information when you cannot call dwarf_getcfi_elf (). In general it
might make sense to also do this when dwarf_getcfi_elf fails. Or try
to get the CFI through both .eh_frame (from the executable ELF file)
with dwarf_getcfi_elf () and .debug_frame (from the Dwarf dbg file)
with dwarf_getcfi () and try to match an address in both tables
if one or the other fails.

Cheers,

Mark

Re: perf-probe crash in dwarf_getcfi_elf

[Namhyung Kim]

Hi Mark,

On Thu, Jan 1, 2015 at 4:42 AM, Mark Wielaard <mjw@redhat.com> wrote:
> On Tue, Dec 30, 2014 at 06:05:33PM +0900, Namhyung Kim wrote:
>> And I found a related commit (5704c8c4fa71 "getcfi_scn_eh_frame: Don't
>> crash and burn when .eh_frame bits aren't there.") in elfutils that
>> can lead to a unexpected crash like this.  To safely use the function,
>> it needs to check the .eh_frame section is a PROGBITS type.
>
> Sorry about that bug. It was fixed in elfutils 0.156, released July 2013.
> Latest elfutils release is 0.161.
>
> Checking .eh_frame is SHT_PROGBITS (and not SHT_NOBITS) looks like the
> correct workaround if you have to deal with older elfutils releases.

Thanks for confirming this.

>
> Note that dwarf_getcfi_elf gets the CFI information from the .eh_frame
> section associated with the ELF file underlying the Dwarf dbg and needs
> to be released with a call to dwarf_cfi_end (). dwarf_getcfi () gets the
> CFI information from the .debug_frame section data of the Dwarf dbg
> and gets automatically releassed when dwarf_end () is called (you should
> not call dwarf_cfi_end () on the result).

Ah, it's good to know.  I have to check the code..

>
> If the Dwarf dbg handle is associated with a separate debuginfo file,
> then the .eh_frame section data will not be available (has SHT_NOBITS)
> and you can get the .eh_frame section (and call dwarf_getcfi_elf ()) on
> the original ELF file from which the Dwarf debuginfo file was split off.
>
> In your patch you call dwarf_getcfi () as backup to get some CFI
> information when you cannot call dwarf_getcfi_elf (). In general it
> might make sense to also do this when dwarf_getcfi_elf fails. Or try
> to get the CFI through both .eh_frame (from the executable ELF file)
> with dwarf_getcfi_elf () and .debug_frame (from the Dwarf dbg file)
> with dwarf_getcfi () and try to match an address in both tables
> if one or the other fails.

Thanks for your advice, I'll make a follow-up patch to address your comments.

Thanks,
Namhyung

[tip:perf/urgent] perf probe: Fix crash in dwarf_getcfi_elf

[tip-bot for Namhyung Kim]

Commit-ID:  4093325f829746b88eaf02a5ae3b88a325ea8b75
Gitweb:     http://git.kernel.org/tip/4093325f829746b88eaf02a5ae3b88a325ea8b75
Author:     Namhyung Kim <namhyung@kernel.org>
AuthorDate: Tue, 30 Dec 2014 17:47:47 +0900
Committer:  Arnaldo Carvalho de Melo <acme@redhat.com>
CommitDate: Fri, 2 Jan 2015 12:44:01 -0300

perf probe: Fix crash in dwarf_getcfi_elf

David reported that perf can segfault when adding an uprobe event like
this:

  $ perf probe -x /lib64/libc-2.14.90.so -a 'malloc  size=%di'

  (gdb) bt
  #0  parse_eh_frame_hdr (hdr=0x0, hdr_size=2596, hdr_vaddr=71788,
      ehdr=0x7fffffffd390, eh_frame_vaddr=
      0x7fffffffd378, table_entries=0x8808d8, table_encoding=0x8808e0 "") at
      dwarf_getcfi_elf.c:79
  #1  0x000000385f81615a in getcfi_scn_eh_frame (hdr_vaddr=71788,
      hdr_scn=0x8839b0, shdr=0x7fffffffd2f0, scn=<optimized out>,
      ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:231
  #2  getcfi_shdr (ehdr=0x7fffffffd390, elf=0x882b30) at dwarf_getcfi_elf.c:283
  #3  dwarf_getcfi_elf (elf=0x882b30) at dwarf_getcfi_elf.c:309
  #4  0x00000000004d5bac in debuginfo__find_probes (pf=0x7fffffffd4f0,
      dbg=Unhandled dwarf expression opcode 0xfa) at util/probe-finder.c:993
  #5  0x00000000004d634a in debuginfo__find_trace_events (dbg=0x880840,
      pev=<optimized out>, tevs=0x880f88, max_tevs=<optimized out>) at
      util/probe-finder.c:1200
  #6  0x00000000004aed6b in try_to_find_probe_trace_events (target=0x881b20
      "/lib64/libpthread-2.14.90.so",
      max_tevs=128, tevs=0x880f88, pev=0x859b30) at util/probe-event.c:482
  #7  convert_to_probe_trace_events (target=0x881b20
      "/lib64/libpthread-2.14.90.so", max_tevs=128, tevs=0x880f88,
      pev=0x859b30) at util/probe-event.c:2356
  #8  add_perf_probe_events (pevs=<optimized out>, npevs=1, max_tevs=128,
      target=0x881b20 "/lib64/libpthread-2.14.90.so", force_add=false) at
      util/probe-event.c:2391
  #9  0x000000000044014f in __cmd_probe (argc=<optimized out>,
      argv=0x7fffffffe2f0, prefix=Unhandled dwarf expression opcode 0xfa) at
      at builtin-probe.c:488
  #10 0x0000000000440313 in cmd_probe (argc=5, argv=0x7fffffffe2f0,
      prefix=<optimized out>) at builtin-probe.c:506
  #11 0x000000000041d133 in run_builtin (p=0x805680, argc=5,
      argv=0x7fffffffe2f0) at perf.c:341
  #12 0x000000000041c8b2 in handle_internal_command (argv=<optimized out>,
      argc=<optimized out>) at perf.c:400
  #13 run_argv (argv=<optimized out>, argcp=<optimized out>) at perf.c:444
  #14 main (argc=5, argv=0x7fffffffe2f0) at perf.c:559

And I found a related commit (5704c8c4fa71 "getcfi_scn_eh_frame: Don't
crash and burn when .eh_frame bits aren't there.") in elfutils that can
lead to a unexpected crash like this.  To safely use the function, it
needs to check the .eh_frame section is a PROGBITS type.

Reported-by: David Ahern <dsahern@gmail.com>
Tested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Mark Wielaard <mjw@redhat.com>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Link: http://lkml.kernel.org/r/20141230090533.GH6081@sejong
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/probe-finder.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
index c7918f8..b5247d7 100644
--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -989,8 +989,24 @@ static int debuginfo__find_probes(struct debuginfo *dbg,
 	int ret = 0;
 
 #if _ELFUTILS_PREREQ(0, 142)
+	Elf *elf;
+	GElf_Ehdr ehdr;
+	GElf_Shdr shdr;
+
 	/* Get the call frame information from this dwarf */
-	pf->cfi = dwarf_getcfi_elf(dwarf_getelf(dbg->dbg));
+	elf = dwarf_getelf(dbg->dbg);
+	if (elf == NULL)
+		return -EINVAL;
+
+	if (gelf_getehdr(elf, &ehdr) == NULL)
+		return -EINVAL;
+
+	if (elf_section_by_name(elf, &ehdr, &shdr, ".eh_frame", NULL) &&
+	    shdr.sh_type == SHT_PROGBITS) {
+		pf->cfi = dwarf_getcfi_elf(elf);
+	} else {
+		pf->cfi = dwarf_getcfi(dbg->dbg);
+	}
 #endif
 
 	off = 0;