[PATCH] perf trace: Fix SIGSEGV when processing augmented args

From: Naveen N. Rao
Date: Thu Mar 10 2022 - 05:48:10 EST

Next message: Vlastimil Babka: "Re: [PATCH v3 8/9] mm/huge_memory: remove stale page_trans_huge_mapcount()"
Previous message: kernel test robot: "[ammarfaizi2-block:google/android/kernel/common/android13-5.10 1034/9999] usr/include/linux/fuse.h:888: found __[us]{8,16,32,64} type without #include <linux/types.h>"
Next in thread: Arnaldo Carvalho de Melo: "Re: [PATCH] perf trace: Fix SIGSEGV when processing augmented args"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On powerpc, 'perf trace' is crashing with a SIGSEGV when trying to
process a perf data file created with 'perf trace record -p':

#0 0x00000001225b8988 in syscall_arg__scnprintf_augmented_string <snip> at builtin-trace.c:1492
#1 syscall_arg__scnprintf_filename <snip> at builtin-trace.c:1492
#2 syscall_arg__scnprintf_filename <snip> at builtin-trace.c:1486
#3 0x00000001225bdd9c in syscall_arg_fmt__scnprintf_val <snip> at builtin-trace.c:1973
#4 syscall__scnprintf_args <snip> at builtin-trace.c:2041
#5 0x00000001225bff04 in trace__sys_enter <snip> at builtin-trace.c:2319

The size captured in the augmented arg looks corrupt, resulting in the
augmented arg pointer being adjusted incorrectly. Fix this by checking
that the size is reasonable.

Reported-by: Claudio Carvalho <cclaudio@xxxxxxxxxxxxx>
Signed-off-by: Naveen N. Rao <naveen.n.rao@xxxxxxxxxxxxxxxxxx>
---
While this resolves the 'perf trace' crash, I'm not yet sure why the
size for the augmented arg is corrupt. This looks to be happening when
processing the sample for 'read' syscall. Any pointers?

Thanks,
- Naveen

tools/perf/builtin-trace.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index 52b137a184a66a..150c9cbe3316b8 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1487,10 +1487,12 @@ static size_t syscall_arg__scnprintf_augmented_string(struct syscall_arg *arg, c
* So that the next arg with a payload can consume its augmented arg, i.e. for rename* syscalls
* we would have two strings, each prefixed by its size.
*/
- int consumed = sizeof(*augmented_arg) + augmented_arg->size;
+ int consumed = sizeof(*augmented_arg) + (unsigned int)augmented_arg->size;

- arg->augmented.args = ((void *)arg->augmented.args) + consumed;
- arg->augmented.size -= consumed;
+ if (consumed < arg->augmented.size) {
+ arg->augmented.args = ((void *)arg->augmented.args) + consumed;
+ arg->augmented.size -= consumed;
+ }

return printed;
}

base-commit: e314fe9c2ad65adcb62fa98376a5f35502e4f4dd
--
2.35.1

Next message: Vlastimil Babka: "Re: [PATCH v3 8/9] mm/huge_memory: remove stale page_trans_huge_mapcount()"
Previous message: kernel test robot: "[ammarfaizi2-block:google/android/kernel/common/android13-5.10 1034/9999] usr/include/linux/fuse.h:888: found __[us]{8,16,32,64} type without #include <linux/types.h>"
Next in thread: Arnaldo Carvalho de Melo: "Re: [PATCH] perf trace: Fix SIGSEGV when processing augmented args"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]