Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3050078ybl;
        Sun, 25 Aug 2019 07:34:15 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxv8VpNimnD1XbbrS2dC4DuLK6Z6U0unSGB48UG6EeJXunYN6/9rTVRSK0azQJ9Uf42OXeq
X-Received: by 2002:a17:90a:19c4:: with SMTP id 4mr15300801pjj.20.1566743655290;
        Sun, 25 Aug 2019 07:34:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566743655; cv=none;
        d=google.com; s=arc-20160816;
        b=oROkyTHjUhP2ihhVIyVrvTup+MdSnAZZkHFLUvHiEMkMCioCiP9DEDA8bxaRobVdEZ
         39VCzCCRabxAOuGgKL/9+rWJXBje7v/AvlQnd4qObtNV1MwwQbE0gqTqM33lCW9z+Rsc
         z5aqUX9K8RJYSa1mclqgUAZsvfTlpA7Mzc2UXOw4Dj9KPd+LbnbmAdAOIz0/4EgwSdwl
         OXtoONAj/SUXCaIiurhU9G/sxOqjfPoJtMVZNEWKRlIQybXirVeWhu50I3o42sUUX7JE
         csTcHYSahPEfrHX/ArzuGv5u5bvDGQnc16wT4OlqK696lRZA15PPZbYOo4yg3MleLJMO
         Qrgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:date:from:dkim-signature;
        bh=OZqyEDU3Oz8mczhnGZvbQocZ4/Kspt/0e7wlQ0xGyGs=;
        b=vfOX46GuOfzOQe4n1ygIR0LU3vQH4owwvGcQ9HDPlwzHygY0B86H4w1QkYxqltWXq5
         d6COz9majwG740TzlsDeTtB2IHryPK1/9kADHN2IdKjAjiW8xExJVlpFf+laZOZYJhHs
         J5f1Db9AbVeOkQPJnt8mswLiS/4k8qBz4QThHzm++gJXPj8M7Y6d7aCVPLqSVuror/oV
         beND3A8K9B1nSJkwlrN5xkwhZ9PVho2eCYYZCV2P0rTegLXd5LL3aFT0xMOF09Z6bOj0
         O/NWXgon6RzNwooMc5NCjnHB+vPZ5ufW05Vo2Orxu2yhsFdb94gYXoLg/MVQz0JDEZUv
         ROaA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ve6BQxor;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s13si6659756pgn.123.2019.08.25.07.34.00;
        Sun, 25 Aug 2019 07:34:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ve6BQxor;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728510AbfHYOdG (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Sun, 25 Aug 2019 10:33:06 -0400
Received: from mail-qt1-f196.google.com ([209.85.160.196]:43456 "EHLO
        mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728436AbfHYOdG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 25 Aug 2019 10:33:06 -0400
Received: by mail-qt1-f196.google.com with SMTP id b11so15577699qtp.10
        for <linux-kernel@vger.kernel.org>; Sun, 25 Aug 2019 07:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:date:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=OZqyEDU3Oz8mczhnGZvbQocZ4/Kspt/0e7wlQ0xGyGs=;
        b=ve6BQxorZMQhe7qGP3tXO9NgI36xtGkyBTjPS/KsUnr3dwTDCW6lJQsss4Ai3w8j2n
         czV4tm4bZ4Fn02349FuP7TlEK4UJGpRq9pBpo1ppj/+3GYkXGcrErT16adUHvl79WaNc
         PPSYGN4q+0ZJqd3MM5O8pE9ARcuhh0TfQbFTKbXuXRvEUK1cIL15fLmy093ibbB5iBHH
         zc6NDHX3rl3e2U5+TP6S+BS805q/3+gz+3e5g7FqK1zGhqg49nFZTfl/03iKt7gL6fmx
         GuC1iw2CQGW7AYGe9VQ2OAlbpgXhjP8j8ypcxaT7nlD91IXe7AIxVsot8gR1L07cbcd+
         h9Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:date:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=OZqyEDU3Oz8mczhnGZvbQocZ4/Kspt/0e7wlQ0xGyGs=;
        b=iACh66tR/OKHk5jMV2+kwQGMQgLhC0cs3lfWC/vqmMYxJIBzMrRkXRdePHJ9GeJTij
         eIg1BgDY8pA2g9d/JqIfBL4Moy8jDhfEIp/nl/SukQwjYrxvlRKkQ05aN2knvLLcfa3T
         S9UnsVbYx+svj5rrAG9gZtQk515sIOIbg61HnhWqmAd6t/XzVje5tyNn2QZ/6OrEKIlL
         ZOeZP98vj5uRfLTVZ+lpRHnNYg7SRpkU90QpishV7s1A4Od8AtxHyYuTcOLv2Ki7l0Is
         rOtRik7htg62Egv8WWfJ/DuHXhWtbHWTWcH+W1mvWjjluuEJkAQu1NcD7ilVBKMmyckB
         0/fw==
X-Gm-Message-State: APjAAAV1gCE8EpNtjt439wbxd4dsBW3Rgk+O7cbOjlhCqTFxO+9ZJamh
        9P7kCPdviejuS531kpkchrs=
X-Received: by 2002:a0c:f150:: with SMTP id y16mr11663254qvl.220.1566743585293;
        Sun, 25 Aug 2019 07:33:05 -0700 (PDT)
Received: from quaco.ghostprotocols.net (user.186-235-140-211.acesso10.net.br. [186.235.140.211])
        by smtp.gmail.com with ESMTPSA id p38sm7618846qtc.76.2019.08.25.07.33.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 25 Aug 2019 07:33:04 -0700 (PDT)
From:   Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>
X-Google-Original-From: Arnaldo Carvalho de Melo <acme@kernel.org>
Received: by quaco.ghostprotocols.net (Postfix, from userid 1000)
        id 4A7C040340; Sun, 25 Aug 2019 11:33:02 -0300 (-03)
Date:   Sun, 25 Aug 2019 11:33:02 -0300
To:     Vince Weaver <vincent.weaver@maine.edu>
Cc:     Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>,
        linux-kernel@vger.kernel.org,
        Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@redhat.com>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Jiri Olsa <jolsa@redhat.com>,
        Namhyung Kim <namhyung@kernel.org>
Subject: Re: [patch] perf tool buffer overflow in perf_header__read_build_ids
Message-ID: <20190825143302.GE26569@kernel.org>
References: <alpine.DEB.2.21.1907231100440.14532@macbook-air>
 <alpine.DEB.2.21.1907231639120.14532@macbook-air>
 <20190726190541.GC20482@kernel.org>
 <alpine.DEB.2.21.1908231641170.7106@macbook-air>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.21.1908231641170.7106@macbook-air>
X-Url:  http://acmel.wordpress.com
User-Agent: Mutt/1.12.0 (2019-05-25)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Em Fri, Aug 23, 2019 at 04:42:47PM -0400, Vince Weaver escreveu:
> On Fri, 26 Jul 2019, Arnaldo Carvalho de Melo wrote:
> > Em Tue, Jul 23, 2019 at 04:42:30PM -0400, Vince Weaver escreveu:
> > > my perf_tool_fuzzer has found another issue, this one a buffer overflow
> > > in perf_header__read_build_ids.  The build id filename is read in with a 
> > > filename length read from the perf.data file, but this can be longer than
> > > PATH_MAX which will smash the stack.
> > > 
> > > This might not be the right fix, not sure if filename should be NUL
> > > terminated or not.
> > > 
> > > Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
> > > 
> > > diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> > > index c24db7f4909c..9a893a26e678 100644
> > > --- a/tools/perf/util/header.c
> > > +++ b/tools/perf/util/header.c
> > > @@ -2001,6 +2001,9 @@ static int perf_header__read_build_ids(struct perf_header *header,
> > >  			perf_event_header__bswap(&bev.header);
> > >  
> > >  		len = bev.header.size - sizeof(bev);
> > > +
> > > +		if (len>PATH_MAX) len=PATH_MAX;
> > > +
> > 
> > Humm, I wonder if we shouldn't just declare the whole file invalid like
> > you did with the previous patch?

> > >  		if (readn(input, filename, len) != len)
> > >  			goto out;
> > >  		/*
>  
> did we ever decide how to fix this issue?  Or were you waiting on a 
> followup patch from me?

Fell thru the cracks, but yeah, I was waiting for a patch, can you send
it?

- Arnaldo
 
> This is actually an exploitable security bug if you can convince someone 
> to run "perf" on an untrusted perf.data file.

Indeed, and in light of the current discussion about unprivileged eBPF I
think we should start dropping privileges in perf report, etc.

- Arnaldo