[PATCH] perf tools: Fix potential array out of bounce accessing

[PATCH] perf tools: Fix potential array out of bounce accessing

[Wang Nan]

There is a problem in dwarf-regs.c of sh, sparc and x86 that it is
possible to make an out-of-bound array accessing when searching
register names. This patch fixes it by replacing '<=' to '<', so when
register (number == XXX_MAX_REGS), get_arch_regstr() returns NULL.

Signed-off-by: Wang Nan <wangnan0@huawei.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Matt Fleming <matt@console-pimps.org>
Cc: Jiri Olsa <jolsa@kernel.org>
---
 tools/perf/arch/sh/util/dwarf-regs.c    | 2 +-
 tools/perf/arch/sparc/util/dwarf-regs.c | 2 +-
 tools/perf/arch/x86/util/dwarf-regs.c   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/perf/arch/sh/util/dwarf-regs.c b/tools/perf/arch/sh/util/dwarf-regs.c
index 0d0897f..f8dfa89 100644
--- a/tools/perf/arch/sh/util/dwarf-regs.c
+++ b/tools/perf/arch/sh/util/dwarf-regs.c
@@ -51,5 +51,5 @@ const char *sh_regs_table[SH_MAX_REGS] = {
 /* Return architecture dependent register string (for kprobe-tracer) */
 const char *get_arch_regstr(unsigned int n)
 {
-	return (n <= SH_MAX_REGS) ? sh_regs_table[n] : NULL;
+	return (n < SH_MAX_REGS) ? sh_regs_table[n] : NULL;
 }
diff --git a/tools/perf/arch/sparc/util/dwarf-regs.c b/tools/perf/arch/sparc/util/dwarf-regs.c
index 92eda41..b704fdb 100644
--- a/tools/perf/arch/sparc/util/dwarf-regs.c
+++ b/tools/perf/arch/sparc/util/dwarf-regs.c
@@ -39,5 +39,5 @@ const char *sparc_regs_table[SPARC_MAX_REGS] = {
  */
 const char *get_arch_regstr(unsigned int n)
 {
-	return (n <= SPARC_MAX_REGS) ? sparc_regs_table[n] : NULL;
+	return (n < SPARC_MAX_REGS) ? sparc_regs_table[n] : NULL;
 }
diff --git a/tools/perf/arch/x86/util/dwarf-regs.c b/tools/perf/arch/x86/util/dwarf-regs.c
index be22dd4..a08de0a 100644
--- a/tools/perf/arch/x86/util/dwarf-regs.c
+++ b/tools/perf/arch/x86/util/dwarf-regs.c
@@ -71,5 +71,5 @@ const char *x86_64_regs_table[X86_64_MAX_REGS] = {
 /* Return architecture dependent register string (for kprobe-tracer) */
 const char *get_arch_regstr(unsigned int n)
 {
-	return (n <= ARCH_MAX_REGS) ? arch_regs_table[n] : NULL;
+	return (n < ARCH_MAX_REGS) ? arch_regs_table[n] : NULL;
 }
-- 
1.8.3.4

Re: [PATCH] perf tools: Fix potential array out of bounce accessing

[Matt Fleming]

On Tue, 01 Sep, at 03:29:44AM, Wang Nan wrote:
> There is a problem in dwarf-regs.c of sh, sparc and x86 that it is
> possible to make an out-of-bound array accessing when searching
> register names. This patch fixes it by replacing '<=' to '<', so when
> register (number == XXX_MAX_REGS), get_arch_regstr() returns NULL.
> 
> Signed-off-by: Wang Nan <wangnan0@huawei.com>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
> Cc: David S. Miller <davem@davemloft.net>
> Cc: Matt Fleming <matt@console-pimps.org>
> Cc: Jiri Olsa <jolsa@kernel.org>
> ---
>  tools/perf/arch/sh/util/dwarf-regs.c    | 2 +-
>  tools/perf/arch/sparc/util/dwarf-regs.c | 2 +-
>  tools/perf/arch/x86/util/dwarf-regs.c   | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)

Hmm, I wonder how that bug was introduced. I guess copy and paste is
probably to blame. Good catch.

Reviewed-by: Matt Fleming <matt.fleming@intel.com>

-- 
Matt Fleming, Intel Open Source Technology Center

Re: [PATCH] perf tools: Fix potential array out of bounce accessing

[Jiri Olsa]

On Tue, Sep 01, 2015 at 03:29:44AM +0000, Wang Nan wrote:
> There is a problem in dwarf-regs.c of sh, sparc and x86 that it is
> possible to make an out-of-bound array accessing when searching
> register names. This patch fixes it by replacing '<=' to '<', so when
> register (number == XXX_MAX_REGS), get_arch_regstr() returns NULL.
> 

Acked-by: Jiri Olsa <jolsa@kernel.org>

thanks,
jirka

RE: [PATCH] perf tools: Fix potential array out of bounce accessing

[平松雅巳 / HIRAMATU，MASAMI]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 2626 bytes --]

> From: Wang Nan [mailto:wangnan0@huawei.com]
> 
> There is a problem in dwarf-regs.c of sh, sparc and x86 that it is
> possible to make an out-of-bound array accessing when searching
> register names. This patch fixes it by replacing '<=' to '<', so when
> register (number == XXX_MAX_REGS), get_arch_regstr() returns NULL.

Oops, right!

Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>

Thank you!

> 
> Signed-off-by: Wang Nan <wangnan0@huawei.com>
> Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
> Cc: David S. Miller <davem@davemloft.net>
> Cc: Matt Fleming <matt@console-pimps.org>
> Cc: Jiri Olsa <jolsa@kernel.org>
> ---
>  tools/perf/arch/sh/util/dwarf-regs.c    | 2 +-
>  tools/perf/arch/sparc/util/dwarf-regs.c | 2 +-
>  tools/perf/arch/x86/util/dwarf-regs.c   | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/tools/perf/arch/sh/util/dwarf-regs.c b/tools/perf/arch/sh/util/dwarf-regs.c
> index 0d0897f..f8dfa89 100644
> --- a/tools/perf/arch/sh/util/dwarf-regs.c
> +++ b/tools/perf/arch/sh/util/dwarf-regs.c
> @@ -51,5 +51,5 @@ const char *sh_regs_table[SH_MAX_REGS] = {
>  /* Return architecture dependent register string (for kprobe-tracer) */
>  const char *get_arch_regstr(unsigned int n)
>  {
> -	return (n <= SH_MAX_REGS) ? sh_regs_table[n] : NULL;
> +	return (n < SH_MAX_REGS) ? sh_regs_table[n] : NULL;
>  }
> diff --git a/tools/perf/arch/sparc/util/dwarf-regs.c b/tools/perf/arch/sparc/util/dwarf-regs.c
> index 92eda41..b704fdb 100644
> --- a/tools/perf/arch/sparc/util/dwarf-regs.c
> +++ b/tools/perf/arch/sparc/util/dwarf-regs.c
> @@ -39,5 +39,5 @@ const char *sparc_regs_table[SPARC_MAX_REGS] = {
>   */
>  const char *get_arch_regstr(unsigned int n)
>  {
> -	return (n <= SPARC_MAX_REGS) ? sparc_regs_table[n] : NULL;
> +	return (n < SPARC_MAX_REGS) ? sparc_regs_table[n] : NULL;
>  }
> diff --git a/tools/perf/arch/x86/util/dwarf-regs.c b/tools/perf/arch/x86/util/dwarf-regs.c
> index be22dd4..a08de0a 100644
> --- a/tools/perf/arch/x86/util/dwarf-regs.c
> +++ b/tools/perf/arch/x86/util/dwarf-regs.c
> @@ -71,5 +71,5 @@ const char *x86_64_regs_table[X86_64_MAX_REGS] = {
>  /* Return architecture dependent register string (for kprobe-tracer) */
>  const char *get_arch_regstr(unsigned int n)
>  {
> -	return (n <= ARCH_MAX_REGS) ? arch_regs_table[n] : NULL;
> +	return (n < ARCH_MAX_REGS) ? arch_regs_table[n] : NULL;
>  }
> --
> 1.8.3.4

ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥

[tip:perf/urgent] perf dwarf: Fix potential array out of bounds access

[tip-bot for Wang Nan]

Commit-ID:  3b27d13940c3710a1128527c43719cb0bb05d73b
Gitweb:     http://git.kernel.org/tip/3b27d13940c3710a1128527c43719cb0bb05d73b
Author:     Wang Nan <wangnan0@huawei.com>
AuthorDate: Tue, 1 Sep 2015 03:29:44 +0000
Committer:  Arnaldo Carvalho de Melo <acme@redhat.com>
CommitDate: Tue, 1 Sep 2015 11:33:48 -0300

perf dwarf: Fix potential array out of bounds access

There is a problem in the dwarf-regs.c files for sh, sparc and x86 where
it is possible to make an out-of-bounds array access when searching for
register names.

This patch fixes it by replacing '<=' to '<', so when register (number
== XXX_MAX_REGS), get_arch_regstr() will return NULL.

Signed-off-by: Wang Nan <wangnan0@huawei.com>
Reviewed-by: Matt Fleming <matt@console-pimps.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Zefan Li <lizefan@huawei.com>
Cc: pi3orama@huawei.com
Link: http://lkml.kernel.org/r/1441078184-105038-1-git-send-email-wangnan0@huawei.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/arch/sh/util/dwarf-regs.c    | 2 +-
 tools/perf/arch/sparc/util/dwarf-regs.c | 2 +-
 tools/perf/arch/x86/util/dwarf-regs.c   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/perf/arch/sh/util/dwarf-regs.c b/tools/perf/arch/sh/util/dwarf-regs.c
index 0d0897f..f8dfa89 100644
--- a/tools/perf/arch/sh/util/dwarf-regs.c
+++ b/tools/perf/arch/sh/util/dwarf-regs.c
@@ -51,5 +51,5 @@ const char *sh_regs_table[SH_MAX_REGS] = {
 /* Return architecture dependent register string (for kprobe-tracer) */
 const char *get_arch_regstr(unsigned int n)
 {
-	return (n <= SH_MAX_REGS) ? sh_regs_table[n] : NULL;
+	return (n < SH_MAX_REGS) ? sh_regs_table[n] : NULL;
 }
diff --git a/tools/perf/arch/sparc/util/dwarf-regs.c b/tools/perf/arch/sparc/util/dwarf-regs.c
index 92eda41..b704fdb 100644
--- a/tools/perf/arch/sparc/util/dwarf-regs.c
+++ b/tools/perf/arch/sparc/util/dwarf-regs.c
@@ -39,5 +39,5 @@ const char *sparc_regs_table[SPARC_MAX_REGS] = {
  */
 const char *get_arch_regstr(unsigned int n)
 {
-	return (n <= SPARC_MAX_REGS) ? sparc_regs_table[n] : NULL;
+	return (n < SPARC_MAX_REGS) ? sparc_regs_table[n] : NULL;
 }
diff --git a/tools/perf/arch/x86/util/dwarf-regs.c b/tools/perf/arch/x86/util/dwarf-regs.c
index be22dd4..a08de0a 100644
--- a/tools/perf/arch/x86/util/dwarf-regs.c
+++ b/tools/perf/arch/x86/util/dwarf-regs.c
@@ -71,5 +71,5 @@ const char *x86_64_regs_table[X86_64_MAX_REGS] = {
 /* Return architecture dependent register string (for kprobe-tracer) */
 const char *get_arch_regstr(unsigned int n)
 {
-	return (n <= ARCH_MAX_REGS) ? arch_regs_table[n] : NULL;
+	return (n < ARCH_MAX_REGS) ? arch_regs_table[n] : NULL;
 }