Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp161242img; Wed, 27 Feb 2019 19:13:55 -0800 (PST) X-Google-Smtp-Source: AHgI3IYKyVUbunkUHh3BzUvn7992kvsqkACRKzkXUCl0VcbegaGYxZeYske8ke8SHms4vy9vxfRj X-Received: by 2002:a63:1021:: with SMTP id f33mr6223897pgl.392.1551323635855; Wed, 27 Feb 2019 19:13:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551323635; cv=none; d=google.com; s=arc-20160816; b=GdAapKwTSzgLgFpa1L6edXNB5wPMqSgEbgJZwyZwJp3IbziZUZ4O7hZIgS48n9z7Th qfspiCLG7f1aWuVtq8sd+P5VgfZPNUJHAE9XKFkPzYgrN4qq/nwxE6IGNixbL6hrSO58 2pGKoPcG+lQZPgvADUcRAUJBfRYLiM8cKX2NdDS3KbM2ViKNt4291yKzSJ/7pKoHsrsV VwtrJDwndIpzM4f/AYcNpc8n/Ptrt7hIab1t8IH29Ujv21cnIpKJZDHdl46tBHVnO5bN 5zcqZwUV8N/G7aZHPJPc0yUIsG5iH8rTAeysRM5uAWpJE6+yA6aMd+b0RvpLbBzoF3D0 kR8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=ZW6O4YgXHkPyq75k9xi9T1el1sMPtUFxOQxP15f6+co=; b=Cj6JgfNBVT8aiYTnExcu78JeENmifIYD2DmcYeJ+wCeClpsEGKoUwCYPii+a1asdIF 9XboTE0UK1phnSr1LsvOgju14myr4pTt6L8mYw/7jmDgOOlzGEW3LfzgUAvUIbzNovh9 tvqPwG+TzOn/Grb5ZbqgrH4sNh81Sh2HqjTeWgkQlLWHQYkOL6A/BbDLJbmlRj7QhlXP HGz11xbNOmlTw/8zWZ8oKhNQE7RLhC5GVZzmlDk7tyMfsuwkawXdo6v7femnDxOjqdkr J+jB1KzSeMofh4Nhw8QR84DmYIyE7r6EsXVgbymSeBymWZwcoyQAOqEWNRzpihWibsk2 9sjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n9si16830800pge.12.2019.02.27.19.13.24; Wed, 27 Feb 2019 19:13:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730527AbfB1DMy (ORCPT + 99 others); Wed, 27 Feb 2019 22:12:54 -0500 Received: from mail.kernel.org ([198.145.29.99]:57880 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730131AbfB1DMx (ORCPT ); Wed, 27 Feb 2019 22:12:53 -0500 Received: from vmware.local.home (unknown [208.91.3.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EEDC3218AE; Thu, 28 Feb 2019 03:12:52 +0000 (UTC) Date: Wed, 27 Feb 2019 22:12:50 -0500 From: Steven Rostedt To: Tony Jones Cc: linux-kernel@vger.kernel.org, Arnaldo Carvalho de Melo , linux-perf-users@vger.kernel.org, Mathias Krause , linux-trace-devel@vger.kernel.org, Tzvetomir Stoyanov , Michael Sartain Subject: Re: [PATCH] tools lib traceevent: Fix buffer overflow in arg_eval Message-ID: <20190227221250.74996869@vmware.local.home> In-Reply-To: <20190228015532.8941-1-tonyj@suse.de> References: <20190228015532.8941-1-tonyj@suse.de> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 27 Feb 2019 17:55:32 -0800 Tony Jones wrote: > Fix buffer overflow observed when running perf test. > > The overflow is when trying to evaluate "1ULL << (64 - 1)" which > is resulting in -9223372036854775808 which overflows the 20 character > buffer. > > If is possible this bug has been reported before but I still don't > see any fix checked in: > > See: https://www.spinics.net/lists/linux-perf-users/msg07714.html > > Cc: Arnaldo Carvalho de Melo > Cc: linux-perf-users@vger.kernel.org > Cc: Steven Rostedt > Signed-off-by: Tony Jones Acked-by: Steven Rostedt (VMware) I have to say I've let this slide and it is not the first time a patch went out with this fix. But this one has the correct fix because we should use a buffer with a multiple of 4. Anyway, Tony I believe was the first to report this anyway. For reference we have: I first heard about Tony's complaint on a post to linux-perf-users on Jan 18. But then we had after that: Michael Sartain reported it on 1/24 (and fixed by Tzvetomir) https://lore.kernel.org/linux-trace-devel/20190125102014.19600-1-tstoyanov@vmware.com/ It was later fixed again by Mathias Krause https://lore.kernel.org/linux-trace-devel/20190223122404.21137-1-minipli@googlemail.com/ But since Tony was first to report it, and we discussed that it should be 24 bytes, I would say this is the patch to take. Again, sorry for not getting this acknowledged earlier and everyone doing the same thing multiple times. :-/ Arnaldo, please take this patch. But also add: Reported-by: Michael Sartain Reported-by: Mathias Krause Thanks, -- Steve > --- > tools/lib/traceevent/event-parse.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/tools/lib/traceevent/event-parse.c > b/tools/lib/traceevent/event-parse.c index abd4fa5d3088..87494c7c619d > 100644 --- a/tools/lib/traceevent/event-parse.c > +++ b/tools/lib/traceevent/event-parse.c > @@ -2457,7 +2457,7 @@ static int arg_num_eval(struct tep_print_arg > *arg, long long *val) static char *arg_eval (struct tep_print_arg > *arg) { > long long val; > - static char buf[20]; > + static char buf[24]; > > switch (arg->type) { > case TEP_PRINT_ATOM: