Message-ID: <55D78AA0.6000106@oracle.com>
Date: Fri, 21 Aug 2015 16:31:28 -0400
From: Sasha Levin <sasha.levin@oracle.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Peter Zijlstra <peterz@infradead.org>, mingo@kernel.org
CC: vincent.weaver@maine.edu, eranian@google.com, jolsa@redhat.com,
        kan.liang@intel.com, linux-kernel@vger.kernel.org,
        Andrew Hunter <ahh@google.com>,
        Maria Dimakopoulou <maria.n.dimakopoulou@gmail.com>
Subject: Re: [PATCH 01/10] perf,x86: Fix event/group validation
References: <20150521111710.475482798@infradead.org> <20150521111932.592505273@infradead.org>
In-Reply-To: <20150521111932.592505273@infradead.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1075
Lines: 30

On 05/21/2015 07:17 AM, Peter Zijlstra wrote:
> --- a/arch/x86/kernel/cpu/perf_event_intel.c
> +++ b/arch/x86/kernel/cpu/perf_event_intel.c
> @@ -2106,7 +2106,7 @@ static struct event_constraint *
>  intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
>  			    struct perf_event *event)
>  {
> -	struct event_constraint *c1 = event->hw.constraint;
> +	struct event_constraint *c1 = cpuc->event_constraint[idx];
>  	struct event_constraint *c2;

Hey Peter,

I was chasing a memory corruption in this area and I think I found
a possible culprit:

After this patch, In the code above, we'd access "cpuc->event_constraint[idx]"
and read/change memory.

The problem is that a valid value for idx is also -1, which isn't checked
here, so we end up accessing and possibly corrupting memory that isn't ours.


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/