raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-12 21:10:01 +00:00
Code Issues Projects Releases Wiki Activity

perf script python: Avoid buffer overflow in python PEBS register interface

Browse Source 
Running a script that processes PEBS records gives buffer overflows
in valgrind.

The problem is that the allocation of the register string doesn't
include the terminating 0 byte. Fix this.

I also replaced the very magic "28" with a more reasonable larger buffer
that should fit all registers.  There's no need to conserve memory here.

  ==2106591== Memcheck, a memory error detector
  ==2106591== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
  ==2106591== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
  ==2106591== Command: ../perf script -i tcall.data gcov.py tcall.gcov
  ==2106591==
  ==2106591== Invalid write of size 1
  ==2106591==    at 0x713354: regs_map (trace-event-python.c:748)
  ==2106591==    by 0x7134EB: set_regs_in_dict (trace-event-python.c:784)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==    by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
  ==2106591==  Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
  ==2106591==    at 0x484280F: malloc (vg_replace_malloc.c:442)
  ==2106591==    by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==    by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
  ==2106591==
  ==2106591== Invalid read of size 1
  ==2106591==    at 0x484B6C6: strlen (vg_replace_strmem.c:502)
  ==2106591==    by 0x555D494: PyUnicode_FromString (unicodeobject.c:1899)
  ==2106591==    by 0x7134F7: set_regs_in_dict (trace-event-python.c:786)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==  Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
  ==2106591==    at 0x484280F: malloc (vg_replace_malloc.c:442)
  ==2106591==    by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==    by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
  ==2106591==
  ==2106591== Invalid write of size 1
  ==2106591==    at 0x713354: regs_map (trace-event-python.c:748)
  ==2106591==    by 0x713539: set_regs_in_dict (trace-event-python.c:789)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==    by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
  ==2106591==  Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
  ==2106591==    at 0x484280F: malloc (vg_replace_malloc.c:442)
  ==2106591==    by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==    by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
  ==2106591==
  ==2106591== Invalid read of size 1
  ==2106591==    at 0x484B6C6: strlen (vg_replace_strmem.c:502)
  ==2106591==    by 0x555D494: PyUnicode_FromString (unicodeobject.c:1899)
  ==2106591==    by 0x713545: set_regs_in_dict (trace-event-python.c:791)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==  Address 0x7186fe0 is 0 bytes after a block of size 0 alloc'd
  ==2106591==    at 0x484280F: malloc (vg_replace_malloc.c:442)
  ==2106591==    by 0x7134AD: set_regs_in_dict (trace-event-python.c:780)
  ==2106591==    by 0x713E58: get_perf_sample_dict (trace-event-python.c:940)
  ==2106591==    by 0x716327: python_process_general_event (trace-event-python.c:1499)
  ==2106591==    by 0x7164E1: python_process_event (trace-event-python.c:1531)
  ==2106591==    by 0x44F9AF: process_sample_event (builtin-script.c:2549)
  ==2106591==    by 0x6294DC: evlist__deliver_sample (session.c:1534)
  ==2106591==    by 0x6296D0: machines__deliver_event (session.c:1573)
  ==2106591==    by 0x629C39: perf_session__deliver_event (session.c:1655)
  ==2106591==    by 0x625830: ordered_events__deliver_event (session.c:193)
  ==2106591==    by 0x630B23: do_flush (ordered-events.c:245)
  ==2106591==    by 0x630E7A: __ordered_events__flush (ordered-events.c:324)
  ==2106591==
  73056 total, 29 ignored

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20240905151058.2127122-2-ak@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
This commit is contained in:
Andi Kleen
2024-09-05 08:07:55 -07:00
committed by Arnaldo Carvalho de Melo
parent f2dbc77909
commit 4bef6168c1
1 changed files with 3 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
tools/perf/util/scripting-engines/trace-event-python.c
View File

@@ -762,6 +762,8 @@ static void regs_map(struct regs_dump *regs, uint64_t mask, const char *arch, ch
}
}
#define MAX_REG_SIZE 128
static int set_regs_in_dict(PyObject *dict,
struct perf_sample *sample,
struct evsel *evsel)
@@ -769,14 +771,7 @@ static int set_regs_in_dict(PyObject *dict,
struct perf_event_attr *attr = &evsel->core.attr;
const char *arch = perf_env__arch(evsel__env(evsel));
/*
* Here value 28 is a constant size which can be used to print
* one register value and its corresponds to:
* 16 chars is to specify 64 bit register in hexadecimal.
* 2 chars is for appending "0x" to the hexadecimal value and
* 10 chars is for register name.
*/
int size = __sw_hweight64(attr->sample_regs_intr) * 28;
int size = (__sw_hweight64(attr->sample_regs_intr) * MAX_REG_SIZE) + 1;
char *bf = malloc(size);
if (!bf)
return -1;