From: Andi Kleen <andi@firstfloor.org>
To: acme@kernel.org
Cc: jolsa@kernel.org, linux-kernel@vger.kernel.org,
Andi Kleen <ak@linux.intel.com>
Subject: [PATCH v1 01/15] perf, tools, stat: Fix buffer overflow while freeing events
Date: Mon, 24 Jul 2017 16:40:01 -0700 [thread overview]
Message-ID: <20170724234015.5165-2-andi@firstfloor.org> (raw)
In-Reply-To: <20170724234015.5165-1-andi@firstfloor.org>
From: Andi Kleen <ak@linux.intel.com>
Fix buffer overflow for
% perf stat -e msr/tsc/,cstate_core/c7-residency/ true
that causes glibc free list corruption. For some reason
it doesn't trigger in valgrind, but it is visible in AS:
=================================================================
==32681==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000003f5c at pc 0x0000005671ef bp 0x7ffdaaac9ac0 sp 0x7ffdaaac9ab0
READ of size 4 at 0x603000003f5c thread T0
#0 0x5671ee in perf_evsel__close_fd util/evsel.c:1196
#1 0x56c57a in perf_evsel__close util/evsel.c:1717
#2 0x55ed5f in perf_evlist__close util/evlist.c:1631
#3 0x4647e1 in __run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:749
#4 0x4648e3 in run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:767
#5 0x46e1bc in cmd_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:2785
#6 0x52f83d in run_builtin /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:296
#7 0x52fd49 in handle_internal_command /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:348
#8 0x5300de in run_argv /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:392
#9 0x5308f3 in main /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:530
#10 0x7f0672d13400 in __libc_start_main (/lib64/libc.so.6+0x20400)
#11 0x428419 in _start (/home/ak/hle/obj-perf/perf+0x428419)
0x603000003f5c is located 0 bytes to the right of 28-byte region [0x603000003f40,0x603000003f5c)
allocated by thread T0 here:
#0 0x7f0675139020 in calloc (/lib64/libasan.so.3+0xc7020)
#1 0x648a2d in zalloc util/util.h:23
#2 0x648a88 in xyarray__new util/xyarray.c:9
#3 0x566419 in perf_evsel__alloc_fd util/evsel.c:1039
#4 0x56b427 in perf_evsel__open util/evsel.c:1529
#5 0x56c620 in perf_evsel__open_per_thread util/evsel.c:1730
#6 0x461dea in create_perf_stat_counter /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:263
#7 0x4637d7 in __run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:600
#8 0x4648e3 in run_perf_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:767
#9 0x46e1bc in cmd_stat /home/ak/hle/linux-hle-2.6/tools/perf/builtin-stat.c:2785
#10 0x52f83d in run_builtin /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:296
#11 0x52fd49 in handle_internal_command /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:348
#12 0x5300de in run_argv /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:392
#13 0x5308f3 in main /home/ak/hle/linux-hle-2.6/tools/perf/perf.c:530
#14 0x7f0672d13400 in __libc_start_main (/lib64/libc.so.6+0x20400)
The event is allocated with cpus == 1, but freed with cpus == real number
When the evsel close function walks the file descriptors it exceeds the
fd xyarray boundaries and reads random memory.
Just make sure to always use the same dummy cpu map following
the same logic as the open call.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
---
tools/perf/builtin-stat.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
index 48ac53b199fc..97d6b6c42014 100644
--- a/tools/perf/builtin-stat.c
+++ b/tools/perf/builtin-stat.c
@@ -715,6 +715,8 @@ static int __run_perf_stat(int argc, const char **argv)
* group leaders.
*/
read_counters();
+ if (!target__has_cpu(&target))
+ evsel_list->cpus = cpu_map__dummy_new();
perf_evlist__close(evsel_list);
return WEXITSTATUS(status);
--
2.9.4
next prev parent reply other threads:[~2017-07-24 23:41 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-24 23:40 Support standalone metrics and metric groups for perf Andi Kleen
2017-07-24 23:40 ` Andi Kleen [this message]
2017-08-01 8:11 ` [PATCH v1 01/15] perf, tools, stat: Fix buffer overflow while freeing events Jiri Olsa
2017-07-24 23:40 ` [PATCH v1 02/15] perf, tools: Tighten detection of BPF events Andi Kleen
2017-08-02 7:35 ` Jiri Olsa
2017-08-02 19:10 ` Arnaldo Carvalho de Melo
2017-07-24 23:40 ` [PATCH v1 03/15] perf, tools, stat: Fix saved values rbtree lookup Andi Kleen
2017-08-02 7:35 ` Jiri Olsa
2017-08-02 19:11 ` Arnaldo Carvalho de Melo
2017-08-14 17:43 ` [tip:perf/core] perf " tip-bot for Andi Kleen
2017-07-24 23:40 ` [PATCH v1 04/15] perf, tools: Support weak groups Andi Kleen
2017-08-02 7:35 ` Jiri Olsa
2017-07-24 23:40 ` [PATCH v1 05/15] perf, tools: Add missing newline to expr parser error messages Andi Kleen
2017-08-02 7:37 ` Jiri Olsa
2017-08-14 17:44 ` [tip:perf/core] perf " tip-bot for Andi Kleen
2017-07-24 23:40 ` [PATCH v1 06/15] perf, tools: Add utility function to detect SMT status Andi Kleen
2017-07-24 23:40 ` [PATCH v1 07/15] perf, tools: Expression parser enhancements for metrics Andi Kleen
2017-08-07 9:51 ` Jiri Olsa
2017-07-24 23:40 ` [PATCH v1 08/15] perf, tools: Increase maximum number of events in expressions Andi Kleen
2017-07-24 23:40 ` [PATCH v1 09/15] perf, tools: Dedup events in expression parsing Andi Kleen
2017-08-07 9:51 ` Jiri Olsa
2017-07-24 23:40 ` [PATCH v1 10/15] perf, tools: Support metric_group and no event name in json parser Andi Kleen
2017-07-24 23:40 ` [PATCH v1 11/15] perf, tools, stat: Factor out generic metric printing Andi Kleen
2017-07-24 23:40 ` [PATCH v1 12/15] perf, tools, stat: Support JSON metrics in perf stat Andi Kleen
2017-07-24 23:40 ` [PATCH v1 13/15] perf, tools, list: Add metric groups to perf list Andi Kleen
2017-07-24 23:40 ` [PATCH v1 14/15] perf, tools, stat: Don't use ctx for saved values lookup Andi Kleen
2017-07-24 23:40 ` [PATCH v1 15/15] perf, tools: Support duration_time Andi Kleen
2017-08-07 10:36 ` Jiri Olsa
2017-07-26 14:15 ` Support standalone metrics and metric groups for perf Jiri Olsa
2017-07-26 15:38 ` Andi Kleen
2017-07-28 8:48 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170724234015.5165-2-andi@firstfloor.org \
--to=andi@firstfloor.org \
--cc=acme@kernel.org \
--cc=ak@linux.intel.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.