* [PATCH] perf arm-spe: Avoid potential buffer overrun.
@ 2021-04-07 15:39 Ian Rogers
2021-04-07 19:24 ` Arnaldo Carvalho de Melo
0 siblings, 1 reply; 2+ messages in thread
From: Ian Rogers @ 2021-04-07 15:39 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
Leo Yan, Andre Przywara, Will Deacon, Dave Martin, linux-kernel
Cc: Stephane Eranian, Ian Rogers
SPE extended headers are >1 byte so ensure the buffer contains at
least this before reading. This issue was detected by fuzzing.
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
index f3ac9d40cebf..2e5eff4f8f03 100644
--- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
+++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
@@ -210,8 +210,10 @@ static int arm_spe_do_get_packet(const unsigned char *buf, size_t len,
if ((hdr & SPE_HEADER0_MASK2) == SPE_HEADER0_EXTENDED) {
/* 16-bit extended format header */
- ext_hdr = 1;
+ if (len == 1)
+ return ARM_SPE_BAD_PACKET;
+ ext_hdr = 1;
hdr = buf[1];
if (hdr == SPE_HEADER1_ALIGNMENT)
return arm_spe_get_alignment(buf, len, packet);
--
2.31.0.208.g409f899ff0-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] perf arm-spe: Avoid potential buffer overrun.
2021-04-07 15:39 [PATCH] perf arm-spe: Avoid potential buffer overrun Ian Rogers
@ 2021-04-07 19:24 ` Arnaldo Carvalho de Melo
0 siblings, 0 replies; 2+ messages in thread
From: Arnaldo Carvalho de Melo @ 2021-04-07 19:24 UTC (permalink / raw)
To: Ian Rogers
Cc: Peter Zijlstra, Ingo Molnar, Mark Rutland, Alexander Shishkin,
Jiri Olsa, Namhyung Kim, Leo Yan, Andre Przywara, Will Deacon,
Dave Martin, linux-kernel, Stephane Eranian
Em Wed, Apr 07, 2021 at 08:39:55AM -0700, Ian Rogers escreveu:
> SPE extended headers are >1 byte so ensure the buffer contains at
> least this before reading. This issue was detected by fuzzing.
Thanks, applied.
- Arnaldo
> Signed-off-by: Ian Rogers <irogers@google.com>
> ---
> tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
> index f3ac9d40cebf..2e5eff4f8f03 100644
> --- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
> +++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
> @@ -210,8 +210,10 @@ static int arm_spe_do_get_packet(const unsigned char *buf, size_t len,
>
> if ((hdr & SPE_HEADER0_MASK2) == SPE_HEADER0_EXTENDED) {
> /* 16-bit extended format header */
> - ext_hdr = 1;
> + if (len == 1)
> + return ARM_SPE_BAD_PACKET;
>
> + ext_hdr = 1;
> hdr = buf[1];
> if (hdr == SPE_HEADER1_ALIGNMENT)
> return arm_spe_get_alignment(buf, len, packet);
> --
> 2.31.0.208.g409f899ff0-goog
>
--
- Arnaldo
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-07 19:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-07 15:39 [PATCH] perf arm-spe: Avoid potential buffer overrun Ian Rogers
2021-04-07 19:24 ` Arnaldo Carvalho de Melo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).