Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1272122ybl; Fri, 23 Aug 2019 16:39:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqy7Z49CdOwh4eP+bLEIMi2rhcPpIhlqtt0yRnRI//81EdNoaM2s4Np/dJsUwKDtrFT2kvrY X-Received: by 2002:a63:36cc:: with SMTP id d195mr6003545pga.157.1566603559273; Fri, 23 Aug 2019 16:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566603559; cv=none; d=google.com; s=arc-20160816; b=ujgx5zLWhGE4u2cRuQzQ6wgduCY6P+B/cFKR6NrTj0OOlXnRvbVdWM6ckeha3qiqMH SX88yP78bCYDCUbgE1PruGJpG/Ok6E3kf5lvCVFo3kWB/Ppz1mfGLdayjVLgYdXvS0kx KUQ0nOzZiUswzSUmOs52AmbFUyeoynePPnNi2O1AEuTDJOPk8Sdn+oLsqVpO8/NMXgZ0 OvNcE2obBmBqEkp4lHtWi0krLVVU0G7X4MRgfFPBC3+g1LLTIaRKHDI9NOVpckL9YUb6 J0a9vh2MyVf6ETZNs9+kEHTma9CgDTp+KTSR3U6vtj0ZGUtcZKgx/+iDsMwVu5MP1BHL NMZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:date:from:dkim-signature; bh=Gczk+EJ8LxiAJI5OXwLa8ocoZrZoy01MrH8K/Y4PQHo=; b=xJ7eBb9LvefdPe9Qv5XKqHS9sSRjl3CwuG4h6hYbhlCrmonZDQ9z9EuxSBJI5jFoWu WhR5lz21M4DWk6CYPR0iN4/GTXC3ptcbxzMh2usrISCAOZCtgc94Qa/WUkBTX7Tsiz5I Ww7UmIhManaJ7GgkT256gGMroqN4EV7Bc63sQgpO9GGUuJntulEsPPAw7KegI2d0ljze a9sxsQWfJ+izeZvuFKHFNHyX835ikEFcWg6RREKixqyyTaAAKG5UnhJvijrH+hxEXucL R8cs44F7tq6WNQ5SAJ/IvTWNufjLWjSbWOZ81vk5Jznk8Ud7T7cSc/G6s/LwPtvxcfug bQ6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@maine.edu header.s=google header.b=NO4fkVwy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w188si3866581pfb.175.2019.08.23.16.39.04; Fri, 23 Aug 2019 16:39:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@maine.edu header.s=google header.b=NO4fkVwy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391643AbfHWUmv (ORCPT + 99 others); Fri, 23 Aug 2019 16:42:51 -0400 Received: from mail-qt1-f182.google.com ([209.85.160.182]:40762 "EHLO mail-qt1-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388903AbfHWUmv (ORCPT ); Fri, 23 Aug 2019 16:42:51 -0400 Received: by mail-qt1-f182.google.com with SMTP id g4so2645029qtq.7 for ; Fri, 23 Aug 2019 13:42:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maine.edu; s=google; h=from:date:to:cc:subject:in-reply-to:message-id:references :user-agent:mime-version; bh=Gczk+EJ8LxiAJI5OXwLa8ocoZrZoy01MrH8K/Y4PQHo=; b=NO4fkVwyZOzQ/jSY0fP4yNcBFegJIfr7DOj3i3cPTHYzoRZTwyuWBpEa98d2K9BeU1 w9TLAVPgZ67+NSAnmOobUyVFk4m5rb+6gmKOAmRXM4PC4hQ2D3uxHt3ndHkhZR62ZCLt K4EaZD22/3qIqn5pd3RsjcXmQRRWVDdHlyAa0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version; bh=Gczk+EJ8LxiAJI5OXwLa8ocoZrZoy01MrH8K/Y4PQHo=; b=UGUYPLJAHxlHJ6iW1QOuaKCiQJ4yvD2K7p5EQD3ur4waJ1C2cXrIkU1OTIyUO9zKN1 Pxx2fDy4FEmXjDWcKRstAnf89Z7XKFjEf/We/y5RCucB2Vnq/rhvnBDAV5mBnFqIkT5Q A6cGEqXA5qH9qcB/joqsJvoPU/dgwqrshL9+nFQeRM5kX4fvKA+W64NUIczksC3xHtG2 dM9gRrW3FoE0bjo5Eehr5EJlkIdUNOlTmvbAWNyR61ZGgZSKEROVkp2fxJ/+ZUPzve5k /1XIsozlIYhqdlbDp5OCVIMSyZT1z+Obte9/aVifeFlL9MY4P/2fYg2stsjX8IoxLUcl CrXA== X-Gm-Message-State: APjAAAU8U23hFpyqtvNEdPOsNxCrhsq5OTeXBrZ9uSVF58eCilB39tww hROw9IDAZskEeZgje9LhXKzyOQ== X-Received: by 2002:ac8:739a:: with SMTP id t26mr6718674qtp.65.1566592970244; Fri, 23 Aug 2019 13:42:50 -0700 (PDT) Received: from macbook-air (weaver.eece.maine.edu. [130.111.218.23]) by smtp.gmail.com with ESMTPSA id e7sm1664614qtp.91.2019.08.23.13.42.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Aug 2019 13:42:49 -0700 (PDT) From: Vince Weaver X-Google-Original-From: Vince Weaver Date: Fri, 23 Aug 2019 16:42:47 -0400 (EDT) X-X-Sender: vince@macbook-air To: Arnaldo Carvalho de Melo cc: Vince Weaver , linux-kernel@vger.kernel.org, Peter Zijlstra , Ingo Molnar , Alexander Shishkin , Jiri Olsa , Namhyung Kim Subject: Re: [patch] perf tool buffer overflow in perf_header__read_build_ids In-Reply-To: <20190726190541.GC20482@kernel.org> Message-ID: References: <20190726190541.GC20482@kernel.org> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 26 Jul 2019, Arnaldo Carvalho de Melo wrote: > Em Tue, Jul 23, 2019 at 04:42:30PM -0400, Vince Weaver escreveu: > > my perf_tool_fuzzer has found another issue, this one a buffer overflow > > in perf_header__read_build_ids. The build id filename is read in with a > > filename length read from the perf.data file, but this can be longer than > > PATH_MAX which will smash the stack. > > > > This might not be the right fix, not sure if filename should be NUL > > terminated or not. > > > > Signed-off-by: Vince Weaver > > > > diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c > > index c24db7f4909c..9a893a26e678 100644 > > --- a/tools/perf/util/header.c > > +++ b/tools/perf/util/header.c > > @@ -2001,6 +2001,9 @@ static int perf_header__read_build_ids(struct perf_header *header, > > perf_event_header__bswap(&bev.header); > > > > len = bev.header.size - sizeof(bev); > > + > > + if (len>PATH_MAX) len=PATH_MAX; > > + > > Humm, I wonder if we shouldn't just declare the whole file invalid like > you did with the previous patch? > > - Arnaldo > > > if (readn(input, filename, len) != len) > > goto out; > > /* did we ever decide how to fix this issue? Or were you waiting on a followup patch from me? This is actually an exploitable security bug if you can convince someone to run "perf" on an untrusted perf.data file. Vince