Bug 153351

Summary: access beyond end of buffer in performance event tool
Product: Tracing/Profiling Reporter: bsweeney
Component: Perf toolAssignee: Arnaldo Carvalho de Melo (acme)
Status: NEW ---    
Severity: normal CC: jolsa
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.x Subsystem:
Regression: No Bisected commit-id:

Description bsweeney 2016-08-18 18:40:52 UTC 
In file /tools/perf/util/evsel.c  function __perf_evsel__hw_cache_name it appears that there is a bug that reads beyond the end of the buffer. The statement "if (type > PERF_COUNT_HW_CACHE_MAX)" allows type to be equal to the maximum value. Later, when statement "if (!perf_evsel__is_cache_op_valid(type, op))" is executed, the function can access array perf_evsel__hw_cache_stat[type] beyond the end of the buffer.

It appears to me that the statement "if (type > PERF_COUNT_HW_CACHE_MAX)" should be "if (type >= PERF_COUNT_HW_CACHE_MAX)"

Bug found with Coverity and manual code review. No attempts were made to execute the code with a maximum type value.