Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3050078ybl; Sun, 25 Aug 2019 07:34:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqxv8VpNimnD1XbbrS2dC4DuLK6Z6U0unSGB48UG6EeJXunYN6/9rTVRSK0azQJ9Uf42OXeq X-Received: by 2002:a17:90a:19c4:: with SMTP id 4mr15300801pjj.20.1566743655290; Sun, 25 Aug 2019 07:34:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566743655; cv=none; d=google.com; s=arc-20160816; b=oROkyTHjUhP2ihhVIyVrvTup+MdSnAZZkHFLUvHiEMkMCioCiP9DEDA8bxaRobVdEZ 39VCzCCRabxAOuGgKL/9+rWJXBje7v/AvlQnd4qObtNV1MwwQbE0gqTqM33lCW9z+Rsc z5aqUX9K8RJYSa1mclqgUAZsvfTlpA7Mzc2UXOw4Dj9KPd+LbnbmAdAOIz0/4EgwSdwl OXtoONAj/SUXCaIiurhU9G/sxOqjfPoJtMVZNEWKRlIQybXirVeWhu50I3o42sUUX7JE csTcHYSahPEfrHX/ArzuGv5u5bvDGQnc16wT4OlqK696lRZA15PPZbYOo4yg3MleLJMO Qrgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:date:from:dkim-signature; bh=OZqyEDU3Oz8mczhnGZvbQocZ4/Kspt/0e7wlQ0xGyGs=; b=vfOX46GuOfzOQe4n1ygIR0LU3vQH4owwvGcQ9HDPlwzHygY0B86H4w1QkYxqltWXq5 d6COz9majwG740TzlsDeTtB2IHryPK1/9kADHN2IdKjAjiW8xExJVlpFf+laZOZYJhHs J5f1Db9AbVeOkQPJnt8mswLiS/4k8qBz4QThHzm++gJXPj8M7Y6d7aCVPLqSVuror/oV beND3A8K9B1nSJkwlrN5xkwhZ9PVho2eCYYZCV2P0rTegLXd5LL3aFT0xMOF09Z6bOj0 O/NWXgon6RzNwooMc5NCjnHB+vPZ5ufW05Vo2Orxu2yhsFdb94gYXoLg/MVQz0JDEZUv ROaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ve6BQxor; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s13si6659756pgn.123.2019.08.25.07.34.00; Sun, 25 Aug 2019 07:34:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ve6BQxor; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728510AbfHYOdG (ORCPT + 99 others); Sun, 25 Aug 2019 10:33:06 -0400 Received: from mail-qt1-f196.google.com ([209.85.160.196]:43456 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728436AbfHYOdG (ORCPT ); Sun, 25 Aug 2019 10:33:06 -0400 Received: by mail-qt1-f196.google.com with SMTP id b11so15577699qtp.10 for ; Sun, 25 Aug 2019 07:33:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=OZqyEDU3Oz8mczhnGZvbQocZ4/Kspt/0e7wlQ0xGyGs=; b=ve6BQxorZMQhe7qGP3tXO9NgI36xtGkyBTjPS/KsUnr3dwTDCW6lJQsss4Ai3w8j2n czV4tm4bZ4Fn02349FuP7TlEK4UJGpRq9pBpo1ppj/+3GYkXGcrErT16adUHvl79WaNc PPSYGN4q+0ZJqd3MM5O8pE9ARcuhh0TfQbFTKbXuXRvEUK1cIL15fLmy093ibbB5iBHH zc6NDHX3rl3e2U5+TP6S+BS805q/3+gz+3e5g7FqK1zGhqg49nFZTfl/03iKt7gL6fmx GuC1iw2CQGW7AYGe9VQ2OAlbpgXhjP8j8ypcxaT7nlD91IXe7AIxVsot8gR1L07cbcd+ h9Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=OZqyEDU3Oz8mczhnGZvbQocZ4/Kspt/0e7wlQ0xGyGs=; b=iACh66tR/OKHk5jMV2+kwQGMQgLhC0cs3lfWC/vqmMYxJIBzMrRkXRdePHJ9GeJTij eIg1BgDY8pA2g9d/JqIfBL4Moy8jDhfEIp/nl/SukQwjYrxvlRKkQ05aN2knvLLcfa3T S9UnsVbYx+svj5rrAG9gZtQk515sIOIbg61HnhWqmAd6t/XzVje5tyNn2QZ/6OrEKIlL ZOeZP98vj5uRfLTVZ+lpRHnNYg7SRpkU90QpishV7s1A4Od8AtxHyYuTcOLv2Ki7l0Is rOtRik7htg62Egv8WWfJ/DuHXhWtbHWTWcH+W1mvWjjluuEJkAQu1NcD7ilVBKMmyckB 0/fw== X-Gm-Message-State: APjAAAV1gCE8EpNtjt439wbxd4dsBW3Rgk+O7cbOjlhCqTFxO+9ZJamh 9P7kCPdviejuS531kpkchrs= X-Received: by 2002:a0c:f150:: with SMTP id y16mr11663254qvl.220.1566743585293; Sun, 25 Aug 2019 07:33:05 -0700 (PDT) Received: from quaco.ghostprotocols.net (user.186-235-140-211.acesso10.net.br. [186.235.140.211]) by smtp.gmail.com with ESMTPSA id p38sm7618846qtc.76.2019.08.25.07.33.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Aug 2019 07:33:04 -0700 (PDT) From: Arnaldo Carvalho de Melo X-Google-Original-From: Arnaldo Carvalho de Melo Received: by quaco.ghostprotocols.net (Postfix, from userid 1000) id 4A7C040340; Sun, 25 Aug 2019 11:33:02 -0300 (-03) Date: Sun, 25 Aug 2019 11:33:02 -0300 To: Vince Weaver Cc: Arnaldo Carvalho de Melo , linux-kernel@vger.kernel.org, Peter Zijlstra , Ingo Molnar , Alexander Shishkin , Jiri Olsa , Namhyung Kim Subject: Re: [patch] perf tool buffer overflow in perf_header__read_build_ids Message-ID: <20190825143302.GE26569@kernel.org> References: <20190726190541.GC20482@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://acmel.wordpress.com User-Agent: Mutt/1.12.0 (2019-05-25) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Em Fri, Aug 23, 2019 at 04:42:47PM -0400, Vince Weaver escreveu: > On Fri, 26 Jul 2019, Arnaldo Carvalho de Melo wrote: > > Em Tue, Jul 23, 2019 at 04:42:30PM -0400, Vince Weaver escreveu: > > > my perf_tool_fuzzer has found another issue, this one a buffer overflow > > > in perf_header__read_build_ids. The build id filename is read in with a > > > filename length read from the perf.data file, but this can be longer than > > > PATH_MAX which will smash the stack. > > > > > > This might not be the right fix, not sure if filename should be NUL > > > terminated or not. > > > > > > Signed-off-by: Vince Weaver > > > > > > diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c > > > index c24db7f4909c..9a893a26e678 100644 > > > --- a/tools/perf/util/header.c > > > +++ b/tools/perf/util/header.c > > > @@ -2001,6 +2001,9 @@ static int perf_header__read_build_ids(struct perf_header *header, > > > perf_event_header__bswap(&bev.header); > > > > > > len = bev.header.size - sizeof(bev); > > > + > > > + if (len>PATH_MAX) len=PATH_MAX; > > > + > > > > Humm, I wonder if we shouldn't just declare the whole file invalid like > > you did with the previous patch? > > > if (readn(input, filename, len) != len) > > > goto out; > > > /* > > did we ever decide how to fix this issue? Or were you waiting on a > followup patch from me? Fell thru the cracks, but yeah, I was waiting for a patch, can you send it? - Arnaldo > This is actually an exploitable security bug if you can convince someone > to run "perf" on an untrusted perf.data file. Indeed, and in light of the current discussion about unprivileged eBPF I think we should start dropping privileges in perf report, etc. - Arnaldo