perf: bug, kernel ignores the buffer size on large read

From: Vince Weaver
Date: Wed Sep 02 2015 - 12:27:18 EST

Next message: Dmitry Torokhov: "Re: kfree a pointer "from the middle" causing protection faults"
Previous message: Alexandre Belloni: "[PATCH] MAINTAINERS: explicitly add Atmel SAMA5"
Next in thread: Peter Zijlstra: "Re: perf: bug, kernel ignores the buffer size on large read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK, this time I found the actual bug.

event->read_size is declared as a u16 in include/linux/perf_event.h

but it is very easy to get event->read_size larger than 64k
(in my case, create 10000 events in a group).

Because we wrap around the u16, the
if (count < event->read_size) return -ENOSPC;
in perf_read_hw() doesn't trigger reliably and so if you do a read
on a large group event the kernel will quite happily copy_to_user()
beyond the bounds of the value set in the read syscall.

In my case it completely smashed the stack and caused the program to
segfault.

I'm not sure what the solution is here. Change read_size to be larger?
Ban events whose read size would be larger than 64k? Although that gets
tricky because the related header_size is also only a u16.

Vince

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dmitry Torokhov: "Re: kfree a pointer "from the middle" causing protection faults"
Previous message: Alexandre Belloni: "[PATCH] MAINTAINERS: explicitly add Atmel SAMA5"
Next in thread: Peter Zijlstra: "Re: perf: bug, kernel ignores the buffer size on large read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]