From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 5D1EB3858D33 for ; Tue, 7 Feb 2023 14:22:12 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5D1EB3858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1675779732; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ihLv5GWnthloqhBxRZlVnRgH/72CA+tnw2xpLqDVeDs=; b=VMPPu9t2dURGGAemolNrG9OQ5E7v7Cv8zTqBk1b6jRlB+O3M05LjtA02ua2HG6zKSC7gV1 y9UXyuOBrGXSEyy8Cz4ui8WZwRNlqU4qYssQKsvObnzAg7fOUXz8eeuehhCUTmcPuQqXZd DF7jK6J1O/JSkp381fb59GP7TXihIQ0= Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-107-tdq_taa1PKSXzAsdTzOfdw-1; Tue, 07 Feb 2023 09:22:11 -0500 X-MC-Unique: tdq_taa1PKSXzAsdTzOfdw-1 Received: by mail-il1-f199.google.com with SMTP id i7-20020a056e021b0700b003033a763270so10694789ilv.19 for ; Tue, 07 Feb 2023 06:22:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ihLv5GWnthloqhBxRZlVnRgH/72CA+tnw2xpLqDVeDs=; b=HtkrSzlyyNNk6Bkd6XJJRx/frnmMAT3jfZu30pOGFa27LDxMVGtXrtRN7vzRdynXOI nhaiic+MSnGRuiL98iP9+3eCO/YHx6cKq9y6IYj6ClucZkyej8pKhW8MMwz8JiNwdOib PkVVllpxFPD05GrEW8lXvXoC80VSUlNMPca9GTmKnJjXcyfnkyFk2O5nN52F9SpzfgE6 zbxe7u6LyJURCuKeuwDkcveNz97ORjBoH8bVDnS4UbADhq0DQt6Yw6Mf33yB68dSJIyH DTkj687aqX3xvXuJpGIY9PlA0naoJkbA+vYIHMEfNrhYnNPYFb9ucWJUFoRjjCKRhDNt gsag== X-Gm-Message-State: AO0yUKVr2scFZsFBpysvMEe04j591r+mnRkIjNaAOqrv8UwdRZtdGfF9 7T9MgUHvvZ9xcfMAsmJaebRcV78c/qgkug5MBXa9lzPyIy900NQAMUx/vBu7Taxy4vlqbp35OPt pHBjli+peyXIQkb29JX0rU5oEmw== X-Received: by 2002:a5d:8192:0:b0:723:8cb5:6708 with SMTP id u18-20020a5d8192000000b007238cb56708mr11732569ion.7.1675779730191; Tue, 07 Feb 2023 06:22:10 -0800 (PST) X-Google-Smtp-Source: AK7set9eUy3wpSR8m1U5LMgBKJzjqvwiZHfCe7rLq77QovWhuRIj8TON1zlv0JwrI223zeudEc8F+Q== X-Received: by 2002:a5d:8192:0:b0:723:8cb5:6708 with SMTP id u18-20020a5d8192000000b007238cb56708mr11732560ion.7.1675779729906; Tue, 07 Feb 2023 06:22:09 -0800 (PST) Received: from [192.168.0.241] (192-0-145-146.cpe.teksavvy.com. [192.0.145.146]) by smtp.gmail.com with ESMTPSA id ck10-20020a0566383f0a00b003a650adf5b0sm4452144jab.95.2023.02.07.06.22.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Feb 2023 06:22:09 -0800 (PST) Message-ID: <71189026-8ab2-dd5b-5bf2-17ac45f01a28@redhat.com> Date: Tue, 7 Feb 2023 09:22:08 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH] gmon: Fix allocated buffer overflow (bug 2944) To: =?UTF-8?B?0JvQtdC+0L3QuNC0INCu0YDRjNC10LIgKExlb25pZCBZdXJpZXYp?= , libc-alpha@sourceware.org Cc: drepper.fsp@gmail.com References: <20230204114138.5436-1-leo@yuriev.ru> From: Carlos O'Donell Organization: Red Hat In-Reply-To: <20230204114138.5436-1-leo@yuriev.ru> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-11.7 required=5.0 tests=BAYES_00,BODY_8BITS,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2/4/23 06:41, Леонид Юрьев (Leonid Yuriev) wrote: > The `__monstartup()` allocates a buffer used to store all the data > accumulated by the monitor. I haven't reviewed this yet, but the bug number is "29444" and is incorrectly written in the Subject line. Thanks for posting this. We talked briefly about this patch during the Monday patch review and we're trying to find a developer to review it. > The size of this buffer depends on the size of the internal structures > used and the address range for which the monitor is activated, as well > as on the maximum density of call instuctions and/or callable functions > that could be potentially on a segment of executable code. > > In particular a hash table of arcs is placed at the end of this buffer. > The size of this hash table is calculated in bytes as > p->fromssize = p->textsize / HASHFRACTION; > > but actually should be > p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); > > Another minor error seems a related typo in the calculation of `kcountsize`. > > This results in writing beyond the end of the allocated buffer when an > added arc corresponds to a call near from the end of the monitored > address range, since `_mcount()` check the incoming caller address for > monitored range but not the intermediate result hash-like index that > uses to write into the table. > > It should be noted that when the results are output to `gmon.out`, the > table is read to the last element calculated from the allocated size in > bytes, so the arcs stored outside the buffer boundary did not fall into > `gprof` for analysis. Thus this "feature" help me to found this bug > during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438 > > Just in case, I will explicitly note that the problem breaks the > `make test t=gmon/tst-gmon-dso` added for Bug 29438. > There, the arc of the `f3()` call disappears from the output, since in > the DSO case, the call to `f3` is located close to the end of the > monitored range. > > Signed-off-by: Леонид Юрьев (Leonid Yuriev) > --- > gmon/gmon.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/gmon/gmon.c b/gmon/gmon.c > index dee64803ad..4712d9f66b 100644 > --- a/gmon/gmon.c > +++ b/gmon/gmon.c > @@ -132,7 +132,7 @@ __monstartup (u_long lowpc, u_long highpc) > p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER)); > p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER)); > p->textsize = p->highpc - p->lowpc; > - p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms)); > + p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->kcount)); > p->hashfraction = HASHFRACTION; > p->log_hashfraction = -1; > /* The following test must be kept in sync with the corresponding > @@ -142,7 +142,7 @@ __monstartup (u_long lowpc, u_long highpc) > instead of integer division. Precompute shift amount. */ > p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1; > } > - p->fromssize = p->textsize / HASHFRACTION; > + p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); > p->tolimit = p->textsize * ARCDENSITY / 100; > if (p->tolimit < MINARCS) > p->tolimit = MINARCS; -- Cheers, Carlos.