All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/2] Fix issues in check_cpu_map
@ 2021-10-21 14:16 jeffm
  2021-10-21 14:45 ` Jens Axboe
  0 siblings, 1 reply; 2+ messages in thread
From: jeffm @ 2021-10-21 14:16 UTC (permalink / raw)
  To: linux-btrace

From: Jeff Mahoney <jeffm@suse.com>

Hi folks -

I received a bug report[1] where blkparse would crash on pipe input.  It
was not reproducible and, looking at the core dump, it appears to be due
to the first event being dropped such that we end up going down the
check_sequence path to check_cpu_map with bit->sequence = 2 first the
first sequence.  check_cpu_map would do a malloc(0) and then write past
the end of the (empty) range, ultimately causing a crash in free() due
to glibc's magic byte at the end of the buffer being overwritten.  Since we
don't do CPU online tracking on pipe input and file input will online at
least one CPU or exit, we can skip the rest of the body if the CPU map
is empty.

While looking at this, I also found that the memset always uses
sizeof(unsigned long *) as its size regardless of the allocated since.
I've replaced that with a calloc.

Thanks,

-Jeff

[1] https://bugzilla.suse.com/show_bug.cgi?id\x1191788

Jeff Mahoney (2):
  blkparse: skip check_cpu_map with pipe input
  blkparse: fix incorrectly sized memset in check_cpu_map

 blkparse.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

-- 
2.33.1

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [PATCH 0/2] Fix issues in check_cpu_map
  2021-10-21 14:16 [PATCH 0/2] Fix issues in check_cpu_map jeffm
@ 2021-10-21 14:45 ` Jens Axboe
  0 siblings, 0 replies; 2+ messages in thread
From: Jens Axboe @ 2021-10-21 14:45 UTC (permalink / raw)
  To: linux-btrace

On 10/21/21 8:16 AM, jeffm@suse.com wrote:
> From: Jeff Mahoney <jeffm@suse.com>
> 
> Hi folks -
> 
> I received a bug report[1] where blkparse would crash on pipe input.  It
> was not reproducible and, looking at the core dump, it appears to be due
> to the first event being dropped such that we end up going down the
> check_sequence path to check_cpu_map with bit->sequence = 2 first the
> first sequence.  check_cpu_map would do a malloc(0) and then write past
> the end of the (empty) range, ultimately causing a crash in free() due
> to glibc's magic byte at the end of the buffer being overwritten.  Since we
> don't do CPU online tracking on pipe input and file input will online at
> least one CPU or exit, we can skip the rest of the body if the CPU map
> is empty.
> 
> While looking at this, I also found that the memset always uses
> sizeof(unsigned long *) as its size regardless of the allocated since.
> I've replaced that with a calloc.

Applied, thanks Jeff.

-- 
Jens Axboe

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-21 14:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-21 14:16 [PATCH 0/2] Fix issues in check_cpu_map jeffm
2021-10-21 14:45 ` Jens Axboe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.