* [PATCH] perf arm-spe: Avoid potential buffer overrun.
@ 2021-04-07 15:39 Ian Rogers
2021-04-07 19:24 ` Arnaldo Carvalho de Melo
0 siblings, 1 reply; 2+ messages in thread
From: Ian Rogers @ 2021-04-07 15:39 UTC (permalink / raw)
To: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
Leo Yan, Andre Przywara, Will Deacon, Dave Martin, linux-kernel
Cc: Stephane Eranian, Ian Rogers
SPE extended headers are >1 byte so ensure the buffer contains at
least this before reading. This issue was detected by fuzzing.
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
index f3ac9d40cebf..2e5eff4f8f03 100644
--- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
+++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
@@ -210,8 +210,10 @@ static int arm_spe_do_get_packet(const unsigned char *buf, size_t len,
if ((hdr & SPE_HEADER0_MASK2) == SPE_HEADER0_EXTENDED) {
/* 16-bit extended format header */
- ext_hdr = 1;
+ if (len == 1)
+ return ARM_SPE_BAD_PACKET;
+ ext_hdr = 1;
hdr = buf[1];
if (hdr == SPE_HEADER1_ALIGNMENT)
return arm_spe_get_alignment(buf, len, packet);
--
2.31.0.208.g409f899ff0-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] perf arm-spe: Avoid potential buffer overrun.
2021-04-07 15:39 [PATCH] perf arm-spe: Avoid potential buffer overrun Ian Rogers
@ 2021-04-07 19:24 ` Arnaldo Carvalho de Melo
0 siblings, 0 replies; 2+ messages in thread
From: Arnaldo Carvalho de Melo @ 2021-04-07 19:24 UTC (permalink / raw)
To: Ian Rogers
Cc: Peter Zijlstra, Ingo Molnar, Mark Rutland, Alexander Shishkin,
Jiri Olsa, Namhyung Kim, Leo Yan, Andre Przywara, Will Deacon,
Dave Martin, linux-kernel, Stephane Eranian
Em Wed, Apr 07, 2021 at 08:39:55AM -0700, Ian Rogers escreveu:
> SPE extended headers are >1 byte so ensure the buffer contains at
> least this before reading. This issue was detected by fuzzing.
Thanks, applied.
- Arnaldo
> Signed-off-by: Ian Rogers <irogers@google.com>
> ---
> tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
> index f3ac9d40cebf..2e5eff4f8f03 100644
> --- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
> +++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
> @@ -210,8 +210,10 @@ static int arm_spe_do_get_packet(const unsigned char *buf, size_t len,
>
> if ((hdr & SPE_HEADER0_MASK2) == SPE_HEADER0_EXTENDED) {
> /* 16-bit extended format header */
> - ext_hdr = 1;
> + if (len == 1)
> + return ARM_SPE_BAD_PACKET;
>
> + ext_hdr = 1;
> hdr = buf[1];
> if (hdr == SPE_HEADER1_ALIGNMENT)
> return arm_spe_get_alignment(buf, len, packet);
> --
> 2.31.0.208.g409f899ff0-goog
>
--
- Arnaldo
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-07 19:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-07 15:39 [PATCH] perf arm-spe: Avoid potential buffer overrun Ian Rogers
2021-04-07 19:24 ` Arnaldo Carvalho de Melo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.