OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/arch
History
Stephen Boyd d9f966357b ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event() 
Vince Weaver reports an oops in the ARM perf event code while
running his perf_fuzzer tool on a pandaboard running v3.11-rc4.

Unable to handle kernel paging request at virtual address 73fd14cc
pgd = eca6c000
[73fd14cc] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: snd_soc_omap_hdmi omapdss snd_soc_omap_abe_twl6040 snd_soc_twl6040 snd_soc_omap snd_soc_omap_hdmi_card snd_soc_omap_mcpdm snd_soc_omap_mcbsp snd_soc_core snd_compress regmap_spi snd_pcm snd_page_alloc snd_timer snd soundcore
CPU: 1 PID: 2790 Comm: perf_fuzzer Not tainted 3.11.0-rc4 #6
task: eddcab80 ti: ed892000 task.ti: ed892000
PC is at armpmu_map_event+0x20/0x88
LR is at armpmu_event_init+0x38/0x280
pc : [<c001c3e4>]    lr : [<c001c17c>]    psr: 60000013
sp : ed893e40  ip : ecececec  fp : edfaec00
r10: 00000000  r9 : 00000000  r8 : ed8c3ac0
r7 : ed8c3b5c  r6 : edfaec00  r5 : 00000000  r4 : 00000000
r3 : 000000ff  r2 : c0496144  r1 : c049611c  r0 : edfaec00
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: aca6c04a  DAC: 00000015
Process perf_fuzzer (pid: 2790, stack limit = 0xed892240)
Stack: (0xed893e40 to 0xed894000)
3e40: 00000800 c001c17c 00000002 c008a748 00000001 00000000 00000000 c00bf078
3e60: 00000000 edfaee50 00000000 00000000 00000000 edfaec00 ed8c3ac0 edfaec00
3e80: 00000000 c073ffac ed893f20 c00bf180 00000001 00000000 c00bf078 ed893f20
3ea0: 00000000 ed8c3ac0 00000000 00000000 00000000 c0cb0818 eddcab80 c00bf440
3ec0: ed893f20 00000000 eddcab80 eca76800 00000000 eca76800 00000000 00000000
3ee0: 00000000 ec984c80 eddcab80 c00bfe68 00000000 00000000 00000000 00000080
3f00: 00000000 ed892000 00000000 ed892030 00000004 ecc7e3c8 ecc7e3c8 00000000
3f20: 00000000 00000048 ecececec 00000000 00000000 00000000 00000000 00000000
3f40: 00000000 00000000 00297810 00000000 00000000 00000000 00000000 00000000
3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3f80: 00000002 00000002 000103a4 00000002 0000016c c00128e8 ed892000 00000000
3fa0: 00090998 c0012700 00000002 000103a4 00090ab8 00000000 00000000 0000000f
3fc0: 00000002 000103a4 00000002 0000016c 00090ab0 00090ab8 000107a0 00090998
3fe0: bed92be0 bed92bd0 0000b785 b6e8f6d0 40000010 00090ab8 00000000 00000000
[<c001c3e4>] (armpmu_map_event+0x20/0x88) from [<c001c17c>] (armpmu_event_init+0x38/0x280)
[<c001c17c>] (armpmu_event_init+0x38/0x280) from [<c00bf180>] (perf_init_event+0x108/0x180)
[<c00bf180>] (perf_init_event+0x108/0x180) from [<c00bf440>] (perf_event_alloc+0x248/0x40c)
[<c00bf440>] (perf_event_alloc+0x248/0x40c) from [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc)
[<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc) from [<c0012700>] (ret_fast_syscall+0x0/0x48)
Code: 0a000005 e3540004 0a000016 e3540000 (0791010c)

This is because event->attr.config in armpmu_event_init()
contains a very large number copied directly from userspace and
is never checked against the size of the array indexed in
armpmu_map_hw_event(). Fix the problem by checking the value of
config before indexing the array and rejecting invalid config
values.

Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
 		2013-08-13 20:21:44 +01:00
..
alpha alpha: delete __cpuinit usage from all users 2013-07-14 19:36:51 -04:00
arc Couple of Platform updates (Device Tree files primarily) given that the 2013-07-10 10:11:26 -07:00
arm ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event() 2013-08-13 20:21:44 +01:00
arm64 - Post -rc1 update to the common reboot infrastructure. 2013-07-19 15:08:53 -07:00
avr32 net: rename busy poll socket op and globals 2013-07-10 17:08:27 -07:00
blackfin Merge branch 'cpuinit_phase2' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2013-07-18 10:50:26 -07:00
c6x Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
cris cris: delete __cpuinit usage from all cris files 2013-07-14 19:36:54 -04:00
frv frv: delete __cpuinit usage from all frv files 2013-07-14 19:36:55 -04:00
h8300 net: rename busy poll socket op and globals 2013-07-10 17:08:27 -07:00
hexagon hexagon: delete __cpuinit usage from all hexagon files 2013-07-14 19:36:55 -04:00
ia64 net: rename busy poll socket op and globals 2013-07-10 17:08:27 -07:00
m32r m32r: delete __cpuinit usage from all m32r files 2013-07-14 19:36:55 -04:00
m68k Merge branch 'akpm' (updates from Andrew Morton) 2013-07-03 17:12:13 -07:00
metag metag: delete __cpuinit usage from all metag files 2013-07-14 19:36:54 -04:00
microblaze Merge branch 'next' of git://git.monstr.eu/linux-2.6-microblaze 2013-07-10 10:16:07 -07:00
mips Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2013-07-19 15:10:01 -07:00
mn10300 net: rename busy poll socket op and globals 2013-07-10 17:08:27 -07:00
openrisc openrisc: delete __cpuinit usage from all openrisc files 2013-07-14 19:36:55 -04:00
parisc parisc: delete __cpuinit usage from all users 2013-07-14 19:36:51 -04:00
powerpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-13 17:42:22 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2013-07-19 15:08:12 -07:00
score score: delete __cpuinit usage from all score files 2013-07-14 19:36:56 -04:00
sh sh: delete __cpuinit usage from all sh files 2013-07-14 19:36:53 -04:00
sparc sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
tile tile: delete __cpuinit usage from all tile files 2013-07-14 19:36:54 -04:00
um um: siginfo cleanup 2013-07-19 11:31:36 +02:00
unicore32 reboot: move arch/x86 reboot= handling to generic kernel 2013-07-09 10:33:29 -07:00
x86 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml 2013-07-19 15:11:09 -07:00
xtensa xtensa: delete __cpuinit usage from all xtensa files 2013-07-14 19:36:56 -04:00
.gitignore
Kconfig mm: soft-dirty bits for user memory changes tracking 2013-07-03 16:07:26 -07:00