From: tip-bot for Peter Zijlstra <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, hpa@zytor.com, mingo@kernel.org,
a.p.zijlstra@chello.nl, stable@kernel.org, ak@linux.intel.com,
tglx@linutronix.de
Subject: [tip:perf/urgent] perf/x86/intel/lbr: Fix LBR filter
Date: Sat, 4 May 2013 01:21:45 -0700 [thread overview]
Message-ID: <tip-mk8i82ffzax01cnqo829iy1q@git.kernel.org> (raw)
In-Reply-To: <20130503121256.158211806@chello.nl>
Commit-ID: 6e15eb3ba6c0249c9e8c783517d131b47db995ca
Gitweb: http://git.kernel.org/tip/6e15eb3ba6c0249c9e8c783517d131b47db995ca
Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
AuthorDate: Fri, 3 May 2013 14:11:24 +0200
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Sat, 4 May 2013 08:37:47 +0200
perf/x86/intel/lbr: Fix LBR filter
The LBR 'from' adddress is under full userspace control; ensure
we validate it before reading from it.
Note: is_module_text_address() can potentially be quite
expensive; for those running into that with high overhead
in modules optimize it using an RCU backed rb-tree.
Reported-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: <stable@kernel.org>
Cc: eranian@google.com
Link: http://lkml.kernel.org/r/20130503121256.158211806@chello.nl
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: http://lkml.kernel.org/n/tip-mk8i82ffzax01cnqo829iy1q@git.kernel.org
---
arch/x86/kernel/cpu/perf_event_intel_lbr.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu/perf_event_intel_lbr.c b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
index da02e9c..de341d4 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_lbr.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_lbr.c
@@ -442,8 +442,18 @@ static int branch_type(unsigned long from, unsigned long to)
return X86_BR_NONE;
addr = buf;
- } else
- addr = (void *)from;
+ } else {
+ /*
+ * The LBR logs any address in the IP, even if the IP just
+ * faulted. This means userspace can control the from address.
+ * Ensure we don't blindy read any address by validating it is
+ * a known text address.
+ */
+ if (kernel_text_address(from))
+ addr = (void *)from;
+ else
+ return X86_BR_NONE;
+ }
/*
* decoder needs to know the ABI especially
next prev parent reply other threads:[~2013-05-04 8:22 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-03 12:11 [PATCH 0/3] Various perf patches Peter Zijlstra
2013-05-03 12:11 ` [PATCH 1/3] perf, x86: Blacklist all MEM_*_RETIRED events for IVB Peter Zijlstra
2013-05-03 14:35 ` Andi Kleen
2013-05-03 17:00 ` Peter Zijlstra
2013-05-15 14:20 ` Stephane Eranian
2013-05-15 16:51 ` Peter Zijlstra
2013-05-16 15:42 ` Stephane Eranian
2013-05-16 16:07 ` Andi Kleen
2013-05-16 16:26 ` Stephane Eranian
2013-05-04 8:20 ` [tip:perf/urgent] perf/x86: Blacklist all MEM_*_RETIRED events for Ivy Bridge tip-bot for Peter Zijlstra
2013-05-03 12:11 ` [PATCH 2/3] perf, x86, lbr: Fix LBR filter Peter Zijlstra
2013-05-03 14:34 ` Andi Kleen
2013-05-04 6:34 ` Ingo Molnar
2013-05-04 8:21 ` tip-bot for Peter Zijlstra [this message]
2013-05-03 12:11 ` [PATCH 3/3] perf, x86, lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL Peter Zijlstra
2013-05-03 14:41 ` Andi Kleen
2013-05-04 8:22 ` [tip:perf/urgent] perf/x86/intel/lbr: " tip-bot for Peter Zijlstra
2013-05-04 11:19 ` Borislav Petkov
2013-05-05 9:05 ` Ingo Molnar
2013-05-06 8:07 ` Peter Zijlstra
2013-05-06 9:42 ` Ingo Molnar
2013-05-15 13:37 ` [PATCH 3/3] perf, x86, lbr: " Stephane Eranian
2013-05-15 14:30 ` Peter Zijlstra
2013-05-16 9:09 ` Peter Zijlstra
2013-05-16 9:17 ` Peter Zijlstra
2013-05-16 10:09 ` Michael Neuling
2013-05-16 10:09 ` Michael Neuling
2013-05-16 10:15 ` Michael Neuling
2013-05-16 10:15 ` Michael Neuling
2013-05-16 11:16 ` Peter Zijlstra
2013-05-16 11:16 ` Peter Zijlstra
2013-05-16 15:36 ` Stephane Eranian
2013-05-16 15:36 ` Stephane Eranian
2013-05-17 11:12 ` Peter Zijlstra
2013-05-17 11:12 ` Peter Zijlstra
2013-05-17 11:32 ` Michael Neuling
2013-05-17 11:32 ` Michael Neuling
2013-05-17 11:39 ` Peter Zijlstra
2013-05-17 11:39 ` Peter Zijlstra
2013-05-17 21:39 ` Stephane Eranian
2013-05-17 21:39 ` Stephane Eranian
2013-05-17 22:14 ` Michael Neuling
2013-05-17 22:14 ` Michael Neuling
2013-05-17 22:59 ` Stephane Eranian
2013-05-17 22:59 ` Stephane Eranian
2013-05-21 5:41 ` Michael Neuling
2013-05-21 5:41 ` Michael Neuling
2013-05-21 8:50 ` Peter Zijlstra
2013-05-21 8:50 ` Peter Zijlstra
2013-05-21 13:46 ` Stephane Eranian
2013-05-21 13:46 ` Stephane Eranian
2013-05-21 13:55 ` Stephane Eranian
2013-05-21 13:55 ` Stephane Eranian
2013-05-22 6:43 ` Anshuman Khandual
2013-05-22 12:23 ` Stephane Eranian
2013-05-22 14:51 ` Anshuman Khandual
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-mk8i82ffzax01cnqo829iy1q@git.kernel.org \
--to=tipbot@zytor.com \
--cc=a.p.zijlstra@chello.nl \
--cc=ak@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=stable@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.