Re: [PATCH] Fix off by one in tools/perf strncpy size argument

From: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>
To: Dominik 'disconnect3d' Czarnota <dominik.b.czarnota@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
	Song Liu <songliubraving@fb.com>,
	John Keeping <john@metanate.com>,
	Changbin Du <changbin.du@intel.com>,
	linux-kernel@vger.kernel.org,
	Michael Lentine <mlentine@google.com>,
	Stephane Eranian <eranian@google.com>
Subject: Re: [PATCH] Fix off by one in tools/perf strncpy size argument
Date: Mon, 9 Mar 2020 09:39:40 -0300	[thread overview]
Message-ID: <20200309123940.GA29841@kernel.org> (raw)
In-Reply-To: <20200309104855.3775-1-dominik.b.czarnota@gmail.com>

Em Mon, Mar 09, 2020 at 11:48:53AM +0100, Dominik 'disconnect3d' Czarnota escreveu:
> From: disconnect3d <dominik.b.czarnota@gmail.com>
> 
> This patch fixes an off-by-one error in strncpy size argument in
> tools/perf/util/map.c. The issue is that in:
> 
>         strncmp(filename, "/system/lib/", 11)
> 
> the passed string literal: "/system/lib/" has 12 bytes (without the NULL
> byte) and the passed size argument is 11. As a result, the logic won't
> match the ending "/" byte and will pass filepaths that are stored in
> other directories e.g. "/system/libmalicious/bin" or just
> "/system/libmalicious".
> 
> This functionality seems to be present only on Android. I assume the
> /system/ directory is only writable by the root user, so I don't
> think this bug has much (or any) security impact.
> 
> Signed-off-by: disconnect3d <dominik.b.czarnota@gmail.com>
> ---
> 
> Notes:
>     I can't test this patch, so if someone can, please, do so.
>     
>     The bug could also be fixed by changing the size argument to `sizeof("string literal")-1` but I am not proposing this change as that would have to be changed in other places.

So, there are parts of this tools/perf/util/map.c that uses the idiom
you mention, for instance:

static inline int is_anon_memory(const char *filename, u32 flags)
{
        return flags & MAP_HUGETLB ||
               !strcmp(filename, "//anon") ||
               !strncmp(filename, "/dev/zero", sizeof("/dev/zero") - 1) ||
               !strncmp(filename, "/anon_hugepage", sizeof("/anon_hugepage") - 1);
}

So I think we should make all cases use this idim to avoid these
problems.

So I'll add your patch, then another, on top, that fixes the other
off-by-one errors introduced by the android specific code in this patch:

Fixes: eca818369996 ("perf tools: Add automatic remapping of Android libraries")

Put this in perf/urgent and then in perf/core move to the more robust
idiom,

Thanks,

- Arnaldo

>     There are also more cases like this in kernel sources which I am going to report soon.
>     
>     Also please note that other path comparisons in this file lack the "/" at the end and it seems they may imply similar issue. I haven't analysed the code deeply to see if that is a real issue.
>     
>     This bug has been found by running a massive grep-like search using Google's BigQuery on GitHub repositories data. I am also going to work on a CodeQL/Semmle query to be able to find more sophisticated cases like this that can't be found via grepping.
> 
>  tools/perf/util/map.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
> index a08ca276098e..addd7edb0486 100644
> --- a/tools/perf/util/map.c
> +++ b/tools/perf/util/map.c
> @@ -89,7 +89,7 @@ static inline bool replace_android_lib(const char *filename, char *newfilename)
>  		return true;
>  	}
>  
> -	if (!strncmp(filename, "/system/lib/", 11)) {
> +	if (!strncmp(filename, "/system/lib/", 12)) {
>  		char *ndk, *app;
>  		const char *arch;
>  		size_t ndk_length;
> -- 
> 2.25.1
> 

-- 

- Arnaldo