[Devel] [PATCH RHEL7 COMMIT] ms/perf top: Fix global-buffer-overflow issue

Konstantin Khorenko khorenko at virtuozzo.com
Mon Dec 9 13:26:16 MSK 2019 

The commit is pushed to "branch-rh7-3.10.0-1062.7.1.vz7.130.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1062.7.1.vz7.130.1
------>
commit 1183d7cb7e0f601bdf36c00adab3cc737fc198a2
Author: Changbin Du <changbin.du at gmail.com>
Date:   Sat Mar 16 16:05:52 2019 +0800

    ms/perf top: Fix global-buffer-overflow issue
    
    The array str[] should have six elements.
    
      =================================================================
      ==4322==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56463844e300 at pc 0x564637e7ad0d bp 0x7f30c8c89d10 sp 0x7f30c8c89d00
      READ of size 8 at 0x56463844e300 thread T9
          #0 0x564637e7ad0c in __ordered_events__flush util/ordered-events.c:316
          #1 0x564637e7b0e4 in ordered_events__flush util/ordered-events.c:338
          #2 0x564637c6a57d in process_thread /home/changbin/work/linux/tools/perf/builtin-top.c:1073
          #3 0x7f30d173a163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163)
          #4 0x7f30cfffbdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11adee)
    
      0x56463844e300 is located 32 bytes to the left of global variable 'flags' defined in 'util/trace-event-parse.c:229:26' (0x56463844e320) of size 192
      0x56463844e300 is located 0 bytes to the right of global variable 'str' defined in 'util/ordered-events.c:268:28' (0x56463844e2e0) of size 32
      SUMMARY: AddressSanitizer: global-buffer-overflow util/ordered-events.c:316 in __ordered_events__flush
      Shadow bytes around the buggy address:
        0x0ac947081c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081c50: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
      =>0x0ac947081c60:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081c70: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
        0x0ac947081c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ac947081cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      Thread T9 created by T0 here:
          #0 0x7f30d179de5f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x4ae5f)
          #1 0x564637c6b954 in __cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1253
          #2 0x564637c7173c in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1642
          #3 0x564637d85038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302
          #4 0x564637d85577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354
          #5 0x564637d8597b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398
          #6 0x564637d860e9 in main /home/changbin/work/linux/tools/perf/perf.c:520
          #7 0x7f30cff0509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    
    Signed-off-by: Changbin Du <changbin.du at gmail.com>
    Reviewed-by: Jiri Olsa <jolsa at kernel.org>
    Cc: Alexei Starovoitov <ast at kernel.org>
    Cc: Daniel Borkmann <daniel at iogearbox.net>
    Cc: Namhyung Kim <namhyung at kernel.org>
    Cc: Peter Zijlstra <peterz at infradead.org>
    Cc: Steven Rostedt (VMware) <rostedt at goodmis.org>
    Cc: Jiri Olsa <jolsa at kernel.org>
    Fixes: 16c66bc167cc ("perf top: Add processing thread")
    Fixes: 68ca5d07de20 ("perf ordered_events: Add ordered_events__flush_time interface")
    Link: http://lkml.kernel.org/r/20190316080556.3075-13-changbin.du@gmail.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
    
    https://jira.sw.ru/browse/HCI-128
    https://bugzilla.redhat.com/show_bug.cgi?id=1757947
    
    (cherry picked from commit 1e5b0cf8672e622257df024074e6e09bfbcb7750)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 tools/perf/util/ordered-events.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/perf/util/ordered-events.c b/tools/perf/util/ordered-events.c
index a02d3eb92d62..8ad023f59631 100644
--- a/tools/perf/util/ordered-events.c
+++ b/tools/perf/util/ordered-events.c
@@ -269,6 +269,8 @@ int ordered_events__flush(struct ordered_events *oe, enum oe_flush how)
 		"FINAL",
 		"ROUND",
 		"HALF ",
+		"TOP  ",
+		"TIME ",
 	};
 	int err;
 	bool show_progress = false;

More information about the Devel mailing list