Received: by 2002:a05:7208:13ce:b0:7f:395a:35b6 with SMTP id r14csp306458rbe; Wed, 28 Feb 2024 23:12:36 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVJrfcHo2p2RaOnqbYpeFFjc6mpfPZhOlQZ3Ya3xuRtZu8x2MHL12VDgutFM0ssFLKtoDks4TC5aGbk6whQmWwQYtSwQCHHNUTMX7yViA== X-Google-Smtp-Source: AGHT+IFHrR6cVgJr6MB0mqTPKhJ6fupqdJU64hWbq/uVkcbTifMWf6Hv8dpzdsP3Z3RjEdeOugfH X-Received: by 2002:a05:6a20:438a:b0:1a1:2138:b75c with SMTP id i10-20020a056a20438a00b001a12138b75cmr2257023pzl.0.1709190756641; Wed, 28 Feb 2024 23:12:36 -0800 (PST) Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id a2-20020a170902ee8200b001dc76d25f0esi702717pld.650.2024.02.28.23.12.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Feb 2024 23:12:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-86207-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20230601 header.b=WQpY1uoc; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-86207-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-86207-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 7A180B2238E for ; Thu, 29 Feb 2024 07:08:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id F3506446B8; Thu, 29 Feb 2024 07:08:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="WQpY1uoc" Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 706421EB3F for ; Thu, 29 Feb 2024 07:08:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709190485; cv=none; b=NdAg6caBkTN6hJKcjvdyEip9IZjB428s+krHWz9hEN4ncaGaw2T1N6IMfdMQ1n6a79ZycJUip7E/V07WTccpMzH5uYhQ+Op8iSPZMqGnJLcqXlBChyS7mPGNeaaG+TlV5ySO6SdbsTbQleEPoeSdnV/CKJSl7JE7HfSlTjBtVV8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709190485; c=relaxed/simple; bh=X5CjbOavFTdLCWMYm3y2Rv94aMC10AjSMyqm+ipd/P8=; h=Date:Message-Id:Mime-Version:Subject:From:To:Content-Type; b=LSbKg3R6q+fdkmPGd0Srt2BebLcYHg9JlGdi5Wuy/KnPf/aRIlqsiVSii7kIyXFdnqS0IkUrtnDXVddgujyR1dGEf5gYA906oYEBxH/jyrMWMLQCpiQ2plDYcVNoumwiyPmD9XyZEdmfJjylAa69T+OZXqnMyt+AwDFO/doWdUI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--irogers.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=WQpY1uoc; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--irogers.bounces.google.com Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-6081639fecfso8442027b3.1 for ; Wed, 28 Feb 2024 23:08:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1709190481; x=1709795281; darn=vger.kernel.org; h=to:from:subject:mime-version:message-id:date:from:to:cc:subject :date:message-id:reply-to; bh=I9FoM/+qtTmDdR7edVTU9MewkXhRm/JQfAPMWm3w7Gg=; b=WQpY1uoc8zh+vi6uC4OG/1bW4Kydx4kh7+FPWfy3sRpqNLYYZb3M0LdLsC7JASRaHy WzUDDXsWUp+23DVBqRWYCaqmTaROfKPy1LE04RORSWVVfpydPX98D6L761xi8Qb+Atm0 Bdna1pUGoRCq6ob01hcwafC7j0uO6uTPUTdFBgIKfs4KZQb5g8fBNUdz/2mEpqF2tZkM CaMrvFtwVStA0sxdG6AFMkt/yb/cUMV5hUWJQ5uwZgqEON5LpZzLhOlfSoP92q1gFnSB nmK9JCZgs5n1yxWIu2xPLUCB8YZao0/LVJYhzu23qeIzyt5wmtndOk/hEPu+5XBHhL0C LC3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709190481; x=1709795281; h=to:from:subject:mime-version:message-id:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=I9FoM/+qtTmDdR7edVTU9MewkXhRm/JQfAPMWm3w7Gg=; b=ndM8qfd0BeHa/QM2+4m3y8gf46LO3Pk6uAzbjVZVo4DtBCz8EWXb8RV90ClFCsudjM Zz7Qifg1P93OrcKlJQomemyBoQiC1nY1saUndbarCBtbw2UifsWG19Lj1ITfaskTVaAY kY4gHyIqVsb2t/E0tX3olCh1P1k7/Hy3G9s94cZg8ce1zEC6bOcDfvAygM/M4QezfXf+ c073qW57veuT/k/IifE0O4TduCdRXItXv0elz0ZJlIv/MSZGE7kkEgy9gUhjDor91CPv SfhYETgDnTn3vQ/G/VZ/x7PEVykpFmpjqba8EfWJzkEP+LwknqwQb7kRWT+lGKf422+P CI/A== X-Forwarded-Encrypted: i=1; AJvYcCXrjBV7wkXzCeDgbwHDVWFVaXuji2aPiULwHMwYBI6oaNt2nEMdsaKuxrQYiu8+i851uzWf+PGmOpFrRlvDcdybvQYL8qAC2lAN8sfG X-Gm-Message-State: AOJu0Yy0EjPthyIoD8Oi6/TfUo+MSGLzbRI2WvOiY2nsHc+jK/I34Pn1 lPGLyfFBy+UZvlJeAeNY1Mi+ytRt7JdeT0cQVvzJGJlegMIwh1CRqTQca2W+XjFlH/vwUuhbUgW fLPb7OQ== X-Received: from irogers.svl.corp.google.com ([2620:15c:2a3:200:77dc:144c:334e:e2dd]) (user=irogers job=sendgmr) by 2002:a25:aaec:0:b0:dcc:8927:7496 with SMTP id t99-20020a25aaec000000b00dcc89277496mr56690ybi.5.1709190481547; Wed, 28 Feb 2024 23:08:01 -0800 (PST) Date: Wed, 28 Feb 2024 23:07:57 -0800 Message-Id: <20240229070757.796244-1-irogers@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.44.0.278.ge034bb2e1d-goog Subject: [PATCH v1] libperf evlist: Avoid out-of-bounds access From: Ian Rogers To: Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Namhyung Kim , Mark Rutland , Alexander Shishkin , Jiri Olsa , Ian Rogers , Adrian Hunter , Yang Jihong , linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Parallel testing appears to show a race between allocating and setting evsel ids. As there is a bounds check on the xyarray it yields a segv like: ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==484408==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 ==484408==The signal is caused by a WRITE memory access. ==484408==Hint: address points to the zero page. #0 0x55cef5d4eff4 in perf_evlist__id_hash tools/lib/perf/evlist.c:256 #1 0x55cef5d4f132 in perf_evlist__id_add tools/lib/perf/evlist.c:274 #2 0x55cef5d4f545 in perf_evlist__id_add_fd tools/lib/perf/evlist.c:315 #3 0x55cef5a1923f in store_evsel_ids util/evsel.c:3130 #4 0x55cef5a19400 in evsel__store_ids util/evsel.c:3147 #5 0x55cef5888204 in __run_perf_stat tools/perf/builtin-stat.c:832 #6 0x55cef5888c06 in run_perf_stat tools/perf/builtin-stat.c:960 #7 0x55cef58932db in cmd_stat tools/perf/builtin-stat.c:2878 .. ``` Avoid this crash by early exiting the perf_evlist__id_add_fd and perf_evlist__id_add is the access is out-of-bounds. Signed-off-by: Ian Rogers --- tools/lib/perf/evlist.c | 18 ++++++++++++------ tools/lib/perf/include/internal/evlist.h | 4 ++-- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c index 058e3ff10f9b..c6d67fc9e57e 100644 --- a/tools/lib/perf/evlist.c +++ b/tools/lib/perf/evlist.c @@ -248,10 +248,10 @@ u64 perf_evlist__read_format(struct perf_evlist *evlist) static void perf_evlist__id_hash(struct perf_evlist *evlist, struct perf_evsel *evsel, - int cpu, int thread, u64 id) + int cpu_map_idx, int thread, u64 id) { int hash; - struct perf_sample_id *sid = SID(evsel, cpu, thread); + struct perf_sample_id *sid = SID(evsel, cpu_map_idx, thread); sid->id = id; sid->evsel = evsel; @@ -269,21 +269,27 @@ void perf_evlist__reset_id_hash(struct perf_evlist *evlist) void perf_evlist__id_add(struct perf_evlist *evlist, struct perf_evsel *evsel, - int cpu, int thread, u64 id) + int cpu_map_idx, int thread, u64 id) { - perf_evlist__id_hash(evlist, evsel, cpu, thread, id); + if (!SID(evsel, cpu_map_idx, thread)) + return; + + perf_evlist__id_hash(evlist, evsel, cpu_map_idx, thread, id); evsel->id[evsel->ids++] = id; } int perf_evlist__id_add_fd(struct perf_evlist *evlist, struct perf_evsel *evsel, - int cpu, int thread, int fd) + int cpu_map_idx, int thread, int fd) { u64 read_data[4] = { 0, }; int id_idx = 1; /* The first entry is the counter value */ u64 id; int ret; + if (!SID(evsel, cpu_map_idx, thread)) + return -1; + ret = ioctl(fd, PERF_EVENT_IOC_ID, &id); if (!ret) goto add; @@ -312,7 +318,7 @@ int perf_evlist__id_add_fd(struct perf_evlist *evlist, id = read_data[id_idx]; add: - perf_evlist__id_add(evlist, evsel, cpu, thread, id); + perf_evlist__id_add(evlist, evsel, cpu_map_idx, thread, id); return 0; } diff --git a/tools/lib/perf/include/internal/evlist.h b/tools/lib/perf/include/internal/evlist.h index d86ffe8ed483..f43bdb9b6227 100644 --- a/tools/lib/perf/include/internal/evlist.h +++ b/tools/lib/perf/include/internal/evlist.h @@ -126,11 +126,11 @@ u64 perf_evlist__read_format(struct perf_evlist *evlist); void perf_evlist__id_add(struct perf_evlist *evlist, struct perf_evsel *evsel, - int cpu, int thread, u64 id); + int cpu_map_idx, int thread, u64 id); int perf_evlist__id_add_fd(struct perf_evlist *evlist, struct perf_evsel *evsel, - int cpu, int thread, int fd); + int cpu_map_idx, int thread, int fd); void perf_evlist__reset_id_hash(struct perf_evlist *evlist); -- 2.44.0.278.ge034bb2e1d-goog