Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752190AbcKRCvf (ORCPT <rfc822;w@1wt.eu>);
        Thu, 17 Nov 2016 21:51:35 -0500
Received: from mail-yw0-f194.google.com ([209.85.161.194]:35015 "EHLO
        mail-yw0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751225AbcKRCvb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Nov 2016 21:51:31 -0500
From: Vince Weaver <vincent.weaver@maine.edu>
X-Google-Original-From: Vince Weaver <vince@maine.edu>
Date: Thu, 17 Nov 2016 21:51:24 -0500 (EST)
X-X-Sender: vince@macbook-air
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
cc: Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        "dvyukov@google.com" <dvyukov@google.com>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>
Subject: Re: perf: fuzzer KASAN: global-out-of-bounds in match_token
In-Reply-To: <alpine.DEB.2.20.1611171706470.12680@macbook-air>
Message-ID: <alpine.DEB.2.20.1611172149260.14035@macbook-air>
References: <alpine.DEB.2.20.1611171521350.12680@macbook-air> <alpine.DEB.2.20.1611171536500.12680@macbook-air> <alpine.DEB.2.20.1611171706470.12680@macbook-air>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1682
Lines: 60

On Thu, 17 Nov 2016, Vince Weaver wrote:

> On Thu, 17 Nov 2016, Vince Weaver wrote:
> > > 
> > > [  911.507365] ==================================================================
> > > [  911.514824] BUG: KASAN: global-out-of-bounds in match_token+0x268/0x310 at addr ffffffffb14ad058
> > > [  911.523912] Read of size 8 by task perf_fuzzer/20662
> > > [  911.528945] Address belongs to variable if_tokens+0x78/0xa0

I managed to create a short reproducer that reliably causes the issue on 
my skylake test machine.



/* simplified perf_fuzzer test case */
/* that triggers BUG: KASAN: global-out-of-bounds in match_token+0x288 */
/* on a skylake machine running Linux 4.9-rc5 */
/* by Vince Weaver <vincent.weaver _at_ maine.edu> */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <linux/perf_event.h>


int perf_event_open(struct perf_event_attr *hw_event_uptr,
	pid_t pid, int cpu, int group_fd, unsigned long flags) {

	return syscall(__NR_perf_event_open,hw_event_uptr, pid, cpu,
		group_fd, flags);
}

int main(int argc, char **argv) {

	int fd7;
	struct perf_event_attr pe7;

	char filter[]="(((to&733)&&common_type&605)||common_flags<386922879890793102)";

	memset(&pe7,0,sizeof(struct perf_event_attr));
	pe7.type=7;		/* intel_pt */
	pe7.size=72;
	pe7.config=0x200ULL;	/* bit 10 = tsc */
	pe7.read_format=PERF_FORMAT_TOTAL_TIME_ENABLED; /* 1 */
	pe7.disabled=1;
	pe7.pinned=1;
	pe7.comm_exec=1;

	fd7=perf_event_open(&pe7,
				0, /* current thread */
				0, /* Only cpu 0 */
				-1, /* group leader */
				PERF_FLAG_FD_NO_GROUP /*1*/ );

	ioctl(fd7, PERF_EVENT_IOC_SET_FILTER , &filter);

	return 0;
}