153351 – access beyond end of buffer in performance event tool

Bug 153351 - access beyond end of buffer in performance event tool

Summary: access beyond end of buffer in performance event tool

Status:	NEW

Alias:	None

Product:	Tracing/Profiling
Classification:	Unclassified
Component:	Perf tool (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Arnaldo Carvalho de Melo

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-08-18 18:40 UTC by bsweeney
Modified:	2016-08-18 18:40 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.x
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description bsweeney 2016-08-18 18:40:52 UTC

In file /tools/perf/util/evsel.c  function __perf_evsel__hw_cache_name it appears that there is a bug that reads beyond the end of the buffer. The statement "if (type > PERF_COUNT_HW_CACHE_MAX)" allows type to be equal to the maximum value. Later, when statement "if (!perf_evsel__is_cache_op_valid(type, op))" is executed, the function can access array perf_evsel__hw_cache_stat[type] beyond the end of the buffer.

It appears to me that the statement "if (type > PERF_COUNT_HW_CACHE_MAX)" should be "if (type >= PERF_COUNT_HW_CACHE_MAX)"

Bug found with Coverity and manual code review. No attempts were made to execute the code with a maximum type value.

Note You need to log in before you can comment on or make changes to this bug.