From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cornsilk.ash.relay.mailchannels.net (cornsilk.ash.relay.mailchannels.net [23.83.222.40]) by sourceware.org (Postfix) with ESMTPS id 3C44A3858D35 for ; Tue, 7 Feb 2023 15:06:18 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3C44A3858D35 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D321E761327; Tue, 7 Feb 2023 15:06:14 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 12D67760558; Tue, 7 Feb 2023 15:06:14 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1675782374; a=rsa-sha256; cv=none; b=Qt7W+e7AU8/RwdXkegxjatdpB1k0Lpj7EvV8woznAqXvqLRd6C2ZmJhspHBscsqznZNYXp VKW4ejomwjDP0OizSvCuBn5xDSz0Ped2lBjfE6stKXk6d99ve9g4D5LwYgBwYxMJcBW/sL 03E6akNG3YVKkOBNyvkSG7xpdCzrl5p3phQrGCUH/D3na583OKPSF9XC14y+7RHWrDINh0 m8UX52JIeNdraQzuMqIaNUO4R0+fcXvVmmJR8dAvrVi2V98EjXJyiPQtu7h/Y2vD+U2EIN AE7B9djp+df0oUMpUkfJuW8CZwSWMHEhKuxCn5g9bJmgnzKBIA+bq+LVwXxeZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1675782374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0fpuuCxwKj+kTRXmKU47hut+HgZIvA67EX0dN2XWcDk=; b=Uk+I4NtB45zWUr1ZO0SdpxhSuwBG2lBXQhtQoB8DDbHxeo6m8I2PaEw+MxcVNaAgOBlUub oZed35g1P9wGgJrI7l1vgUjoL+9yUp9BG72G0qFwNZBgfY7LFh3CHH67V5fTW9Yqn5J7HD MxvlNySeWv6ptc5znsVOO1t6za36GwQwnXVb7biNUIIJbPSNV9hUmqm4tr+2a/ZmpHii2G K3t6YO+7Be8WIWc38E10R6YeGGn2kIV9KQ/Qrfh9UaxRTlpvxrGRwF8U8i+pGmi5jnBEBL tOiZlk/wOskdUdVuRX4BoTWlschkR9/o4JYWWAeA8iAsa4OdpBCO00nckJSIYg== ARC-Authentication-Results: i=1; rspamd-8d84bcd9f-v4wqc; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Wipe-Bottle: 3174126f3433c9a3_1675782374559_4271710499 X-MC-Loop-Signature: 1675782374559:2408814324 X-MC-Ingress-Time: 1675782374559 Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.138.61 (trex/6.7.1); Tue, 07 Feb 2023 15:06:14 +0000 Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-07-174-93-43-36.dsl.bell.ca [174.93.43.36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4PB6051Bkhz1c; Tue, 7 Feb 2023 07:06:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1675782373; bh=0fpuuCxwKj+kTRXmKU47hut+HgZIvA67EX0dN2XWcDk=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=LkXtEQ6heP4VZauSMWB99D2lsvtWVYoMynpw5ACKw8ZQ82nbnbC+DieaCTEaEBRfM vddhoriIML9uyH+dFDLFyNJShSEjT1m6GrgMo45HMq03y5/T7nUqKIuN1E+zhUuCHH SHdlv97+kYx9+p33CTobw3Xs7n34yN95T8LuEDZRe9+vKuTuiJWKbnFGvDOksYU0rA UbVSNjdRcGEbwEjWGSYbupDRu98niuHqbXGA4nVUyTjLOUdePZt4jTttaBu3bhbuWl SaSXZ245foGc2ddCAF41da6/aKogdYCvmVY8yPaovwtDPkkhoUDXs/RoW+JzhgAVZT FJFe+HtLqVM+w== Message-ID: <831ec831-2312-7ca2-06c6-6b2465d26aaa@gotplt.org> Date: Tue, 7 Feb 2023 10:06:11 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: [PATCH] gmon: Fix allocated buffer overflow (bug 2944) Content-Language: en-US To: =?UTF-8?B?0JvQtdC+0L3QuNC0INCu0YDRjNC10LIgKExlb25pZCBZdXJpZXYp?= , libc-alpha@sourceware.org Cc: drepper.fsp@gmail.com References: <20230204114138.5436-1-leo@yuriev.ru> From: Siddhesh Poyarekar In-Reply-To: <20230204114138.5436-1-leo@yuriev.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3030.2 required=5.0 tests=BAYES_00,BODY_8BITS,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-02-04 06:41, Леонид Юрьев (Leonid Yuriev) wrote: > The `__monstartup()` allocates a buffer used to store all the data > accumulated by the monitor. > > The size of this buffer depends on the size of the internal structures > used and the address range for which the monitor is activated, as well > as on the maximum density of call instuctions and/or callable functions > that could be potentially on a segment of executable code. > > In particular a hash table of arcs is placed at the end of this buffer. > The size of this hash table is calculated in bytes as > p->fromssize = p->textsize / HASHFRACTION; > > but actually should be > p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); > > Another minor error seems a related typo in the calculation of `kcountsize`. > > This results in writing beyond the end of the allocated buffer when an > added arc corresponds to a call near from the end of the monitored > address range, since `_mcount()` check the incoming caller address for > monitored range but not the intermediate result hash-like index that > uses to write into the table. > > It should be noted that when the results are output to `gmon.out`, the > table is read to the last element calculated from the allocated size in > bytes, so the arcs stored outside the buffer boundary did not fall into > `gprof` for analysis. Thus this "feature" help me to found this bug > during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438 > > Just in case, I will explicitly note that the problem breaks the > `make test t=gmon/tst-gmon-dso` added for Bug 29438. > There, the arc of the `f3()` call disappears from the output, since in > the DSO case, the call to `f3` is located close to the end of the > monitored range. > > Signed-off-by: Леонид Юрьев (Leonid Yuriev) Adding a quick note here since this got raised as a security issue: this is a bug, but I don't see any security impact here since the inputs that cause this are trusted, coming from addresses of a profiled application. We'll be rejecting this CVE. I'll leave the actual patch review and fix incorporation to DJ, who has volunteered to look at it. Thanks, Sid