Re: [PATCH 01/10] perf,x86: Fix event/group validation

Thu, 10 Sep 2015 03:03:07 -0700 

On Thu, Sep 10, 2015 at 01:54:18AM -0700, Stephane Eranian wrote:
> On Fri, Aug 21, 2015 at 1:31 PM, Sasha Levin <sasha.le...@oracle.com> wrote:
> >
> > On 05/21/2015 07:17 AM, Peter Zijlstra wrote:
> > > --- a/arch/x86/kernel/cpu/perf_event_intel.c
> > > +++ b/arch/x86/kernel/cpu/perf_event_intel.c
> > > @@ -2106,7 +2106,7 @@ static struct event_constraint *
> > >  intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
> > >                           struct perf_event *event)
> > >  {
> > > -     struct event_constraint *c1 = event->hw.constraint;
> > > +     struct event_constraint *c1 = cpuc->event_constraint[idx];
> > >       struct event_constraint *c2;
> >
> > Hey Peter,
> >
> > I was chasing a memory corruption in this area and I think I found
> > a possible culprit:
> >
> > After this patch, In the code above, we'd access 
> > "cpuc->event_constraint[idx]"
> > and read/change memory.
> >
> > The problem is that a valid value for idx is also -1, which isn't checked
> > here, so we end up accessing and possibly corrupting memory that isn't ours.
> >
> >
> I believe your analysis is correct, the following path will create the 
> problem:
> 
>    validate_group()
>          validate_event()
>              x86_pmu.get_event_constraints(fake_cpuc, -1, event)
>              intel_get_event_constraints(cpuc, idx, event)
>                  struct event_constraints *c1  = cpuc->event_constraints[idx];
> 
> here idx = -1, and the kernel is accessing an invalid memory location.
> 
> If think the code could be changed to:
> 
>    struct event_constraint *c1 = NULL;
>    if (idx > -1)
>        c1 = cpuc->event_constraints[idx];
> 
> idx is not used in the __intel_get_event_constraints() path if I read
> the code correctly.

I prefer >= 0, but yes that looks about right. I still want to rework
all this fake stuff some time, but we should fix this asap.

Something like so then?

---
Subject: perf, intel: Fix out-of-bound
From: Peter Zijlstra <pet...@infradead.org>
Date: Thu Sep 10 11:58:27 CEST 2015

Sasha reported that we can get here with .idx==-1, and
cpuc->event_constraints unallocated.

Cc: sta...@vger.kernel.org
Fixes: b371b5943178 ("perf/x86: Fix event/group validation")
Reported-by: Sasha Levin <sasha.le...@oracle.com>
Suggested-by: Stephane Eranian <eran...@google.com>
Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
---
 arch/x86/kernel/cpu/perf_event_intel.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2316,9 +2316,12 @@ static struct event_constraint *
 intel_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
                            struct perf_event *event)
 {
-       struct event_constraint *c1 = cpuc->event_constraint[idx];
+       struct event_constraint *c1 = NULL;
        struct event_constraint *c2;
 
+       if (idx >= 0) /* fake does < 0 */
+               c1 = cpuc->event_constraint[idx];
+
        /*
         * first time only
         * - static constraint: no change across incremental scheduling calls
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to