iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/kernel
History
Yang Jihong ddcf832000 perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output 
[ Upstream commit eb81a2ed4f52be831c9fb879752d89645a312c13 ]

syzkaller reportes a KASAN issue with stack-out-of-bounds.
The call trace is as follows:
  dump_stack+0x9c/0xd3
  print_address_description.constprop.0+0x19/0x170
  __kasan_report.cold+0x6c/0x84
  kasan_report+0x3a/0x50
  __perf_event_header__init_id+0x34/0x290
  perf_event_header__init_id+0x48/0x60
  perf_output_begin+0x4a4/0x560
  perf_event_bpf_output+0x161/0x1e0
  perf_iterate_sb_cpu+0x29e/0x340
  perf_iterate_sb+0x4c/0xc0
  perf_event_bpf_event+0x194/0x2c0
  __bpf_prog_put.constprop.0+0x55/0xf0
  __cls_bpf_delete_prog+0xea/0x120 [cls_bpf]
  cls_bpf_delete_prog_work+0x1c/0x30 [cls_bpf]
  process_one_work+0x3c2/0x730
  worker_thread+0x93/0x650
  kthread+0x1b8/0x210
  ret_from_fork+0x1f/0x30

commit 267fb27352b6 ("perf: Reduce stack usage of perf_output_begin()")
use on-stack struct perf_sample_data of the caller function.

However, perf_event_bpf_output uses incorrect parameter to convert
small-sized data (struct perf_bpf_event) into large-sized data
(struct perf_sample_data), which causes memory overwriting occurs in
__perf_event_header__init_id.

Fixes: 267fb27352b6 ("perf: Reduce stack usage of perf_output_begin()")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20230314044735.56551-1-yangjihong1@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-04-05 11:23:29 +02:00
..
bpf
btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR
2023-03-17 08:45:12 +01:00
cgroup
memcg: fix possible use-after-free in memcg_write_event_control()
2022-12-14 11:31:57 +01:00
configs
debug
lockdown: also lock down previous kgdb use
2022-05-30 09:33:22 +02:00
dma
swiotlb: max mapping size takes min align mask into account
2022-10-05 10:38:40 +02:00
entry
entry/kvm: Exit to user mode when TIF_NOTIFY_SIGNAL is set
2023-01-04 11:39:22 +01:00
events
perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output
2023-04-05 11:23:29 +02:00
futex
futex: Resend potentially swallowed owner death notification
2023-01-14 10:15:20 +01:00
gcov
gcov: add support for checksum field
2023-01-14 10:16:24 +01:00
irq
irqdomain: Fix domain registration race
2023-03-17 08:45:08 +01:00
kcsan
panic: Consolidate open-coded panic_on_warn checks
2023-02-01 08:23:20 +01:00
livepatch
livepatch: fix race between fork and KLP transition
2022-10-26 13:25:14 +02:00
locking
locking/lockdep: Fix lockdep_init_map_*() confusion
2022-08-21 15:15:33 +02:00
power
PM: EM: fix memory leak with using debugfs_lookup()
2023-03-11 16:39:51 +01:00
printk
printk: fix return value of printk.devkmsg __setup handler
2022-04-08 14:40:08 +02:00
rcu
rcu-tasks: Make rude RCU-Tasks work well with CPU hotplug
2023-03-11 16:39:49 +01:00
sched
sched/rt: pick_next_rt_entity(): check list_entry
2023-03-11 16:39:16 +01:00
time
clocksource: Suspend the watchdog temporarily when high read latency detected
2023-03-11 16:39:50 +01:00
trace
ftrace: Fix invalid address access in lookup_rec() when index is 0
2023-03-22 13:30:04 +01:00
.gitignore
kbuild: update config_data.gz only when the content of .config is changed
2021-05-11 14:47:37 +02:00
acct.c
acct: fix potential integer overflow in encode_comp_t()
2023-01-14 10:16:14 +01:00
async.c
Revert "module, async: async_synchronize_full() on module init iff async is used"
2022-02-23 12:01:00 +01:00
audit_fsnotify.c
audit: fix potential double free on error path from fsnotify_add_inode_mark
2022-08-31 17:15:13 +02:00
audit_tree.c
audit: move put_tree() to avoid trim_trees refcount underflow and UAF
2021-09-03 10:09:31 +02:00
audit_watch.c
fsnotify: generalize handle_inode_event()
2020-12-30 11:54:18 +01:00
audit.c
audit: improve audit queue handling when "audit=1" on cmdline
2022-02-08 18:30:34 +01:00
audit.h
audit: log AUDIT_TIME_* records only from rules
2022-04-08 14:40:00 +02:00
auditfilter.c
treewide: Use fallthrough pseudo-keyword
2020-08-23 17:36:59 -05:00
auditsc.c
audit: log AUDIT_TIME_* records only from rules
2022-04-08 14:40:00 +02:00
backtracetest.c
bounds.c
capability.c
LSM: Signal to SafeSetID when setting group IDs
2020-10-13 09:17:34 -07:00
compat.c
treewide: Use fallthrough pseudo-keyword
2020-08-23 17:36:59 -05:00
configs.c
context_tracking.c
cpu_pm.c
PM: cpu: Make notifier chain use a raw_spinlock_t
2021-09-15 09:50:40 +02:00
cpu.c
cpu/hotplug: Make target_store() a nop when target == state
2023-01-14 10:15:20 +01:00
crash_core.c
crash_core, vmcoreinfo: append 'SECTION_SIZE_BITS' to vmcoreinfo
2021-06-23 14:42:52 +02:00
crash_dump.c
cred.c
Revert "Add a reference to ucounts for each cred"
2021-09-08 08:49:00 +02:00
delayacct.c
dma.c
exec_domain.c
exit.c
exit: Use READ_ONCE() for all oops/warn limit reads
2023-02-01 08:23:21 +01:00
extable.c
fail_function.c
kernel/fail_function: fix memory leak with using debugfs_lookup()
2023-03-11 16:40:18 +01:00
fork.c
fork: allow CLONE_NEWTIME in clone3 flags
2023-03-17 08:45:06 +01:00
freezer.c
Revert "kernel: freezer should treat PF_IO_WORKER like PF_KTHREAD for freezing"
2021-04-07 15:00:14 +02:00
gen_kheaders.sh
groups.c
LSM: Signal to SafeSetID when setting group IDs
2020-10-13 09:17:34 -07:00
hung_task.c
kernel/hung_task.c: make type annotations consistent
2020-11-02 12:14:19 -08:00
iomem.c
irq_work.c
jump_label.c
jump_label: Fix jump_label_text_reserved() vs __init
2021-07-20 16:05:58 +02:00
kallsyms.c
treewide: Convert macro and uses of __section(foo) to __section("foo")
2020-10-25 14:51:49 -07:00
kcmp.c
exec: Transform exec_update_mutex into a rw_semaphore
2021-01-09 13:46:24 +01:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kcov: make some symbols static
2020-08-12 10:58:02 -07:00
kexec_core.c
kernel: kexec: remove the lock operation of system_transition_mutex
2021-02-03 23:28:37 +01:00
kexec_elf.c
kexec_file.c
ima: force signature verification when CONFIG_KEXEC_SIG is configured
2022-07-21 21:20:11 +02:00
kexec_internal.h
kexec.c
LSM: Introduce kernel_post_load_data() hook
2020-10-05 13:37:03 +02:00
kheaders.c
kmod.c
kmod: remove redundant "be an" in the comment
2020-08-12 10:58:01 -07:00
kprobes.c
x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range
2023-03-11 16:39:59 +01:00
ksysfs.c
kthread.c
kthread: Fix PF_KTHREAD vs to_kthread() race
2021-09-03 10:09:31 +02:00
latencytop.c
Makefile
futex: Move to kernel/futex/
2023-01-14 10:15:20 +01:00
module_signature.c
module: harden ELF info handling
2021-03-25 09:04:11 +01:00
module_signing.c
module: harden ELF info handling
2021-03-25 09:04:11 +01:00
module-internal.h
module.c
module: Don't wait for GOING modules
2023-02-01 08:23:22 +01:00
notifier.c
notifier: Fix broken error handling pattern
2020-09-01 09:58:03 +02:00
nsproxy.c
padata.c
padata: Fix list iterator in padata_do_serial()
2023-01-14 10:15:51 +01:00
panic.c
exit: Use READ_ONCE() for all oops/warn limit reads
2023-02-01 08:23:21 +01:00
params.c
params: Replace zero-length array with flexible-array member
2020-10-29 17:22:59 -05:00
pid_namespace.c
rcu-tasks: Fix synchronize_rcu_tasks() VS zap_pid_ns_processes()
2023-03-11 16:39:19 +01:00
pid.c
exec: Transform exec_update_mutex into a rw_semaphore
2021-01-09 13:46:24 +01:00
profile.c
profiling: fix shift too large makes kernel panic
2022-08-21 15:16:05 +02:00
ptrace.c
ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
2022-06-09 10:20:49 +02:00
range.c
kernel.h: split out min()/max() et al. helpers
2020-10-16 11:11:19 -07:00
reboot.c
reboot: fix overflow parsing reboot cpu number
2020-11-14 11:26:03 -08:00
regset.c
relay.c
relay: fix type mismatch when allocating memory in relay_create_buf()
2023-01-14 10:15:22 +01:00
resource.c
dax/kmem: Fix leak of memory-hotplug resources
2023-03-11 16:40:04 +01:00
rseq.c
rseq: Remove broken uapi field layout on 32-bit little endian
2022-04-08 14:40:03 +02:00
scftorture.c
scftorture: Fix distribution of short handler delays
2022-06-09 10:21:01 +02:00
scs.c
mm: memcontrol: account kernel stack per node
2020-08-07 11:33:25 -07:00
seccomp.c
seccomp: Fix setting loaded filter count during TSYNC
2021-08-18 08:59:06 +02:00
signal.c
task_work: unconditionally run task_work from get_signal()
2023-01-04 11:39:23 +01:00
smp.c
smp: Fix offline cpu check in flush_smp_call_function_queue()
2022-04-20 09:23:29 +02:00
smpboot.c
sched/core: Initialize the idle task with preemption disabled
2021-07-14 16:55:50 +02:00
smpboot.h
softirq.c
softirq: Add debug check to __raise_softirq_irqoff()
2020-09-16 15:18:56 +02:00
stackleak.c
gcc-plugins/stackleak: Use noinstr in favor of notrace
2022-02-23 12:01:00 +01:00
stacktrace.c
stacktrace: Remove reliable argument from arch_stack_walk() callback
2020-09-18 14:24:16 +01:00
static_call.c
static_call: Fix unused variable warn w/o MODULE
2021-09-08 08:49:00 +02:00
stop_machine.c
stop_machine, rcu: Mark functions as notrace
2020-10-26 12:12:27 +01:00
sys_ni.c
kernel/sys_ni: add compat entry for fadvise64_64
2022-08-31 17:15:13 +02:00
sys.c
prlimit: do_prlimit needs to have a speculation check
2023-01-24 07:19:58 +01:00
sysctl-test.c
sysctl.c
kernel/panic: move panic sysctls to its own file
2023-02-01 08:23:18 +01:00
task_work.c
task_work: add helper for more targeted task_work canceling
2023-01-04 11:39:23 +01:00
taskstats.c
taskstats: move specifying netlink policy back to ops
2020-10-02 19:11:12 -07:00
test_kprobes.c
torture.c
tracepoint.c
tracepoint: Use rcu get state and cond sync for static call updates
2021-09-03 10:09:30 +02:00
tsacct.c
taskstats: Cleanup the use of task->exit_code
2022-01-27 10:54:33 +01:00
ucount.c
Revert "Add a reference to ucounts for each cred"
2021-09-08 08:49:00 +02:00
uid16.c
uid16.h
umh.c
usermodehelper: reset umask to default before executing user process
2020-10-06 10:31:52 -07:00
up.c
smp: Fix smp_call_function_single_async prototype
2021-05-14 09:50:46 +02:00
user_namespace.c
Revert "Add a reference to ucounts for each cred"
2021-09-08 08:49:00 +02:00
user-return-notifier.c
user.c
usermode_driver.c
bpf: Fix umd memory leak in copy_process()
2021-03-30 14:32:03 +02:00
utsname_sysctl.c
utsname.c
watch_queue.c
watch_queue: fix IOC_WATCH_QUEUE_SET_SIZE alloc error paths
2023-03-17 08:45:13 +01:00
watchdog_hld.c
watchdog.c
watchdog: export lockup_detector_reconfigure
2022-08-25 11:38:20 +02:00
workqueue_internal.h
workqueue.c
workqueue: don't skip lockdep work dependency in cancel_work_sync()
2022-09-28 11:10:40 +02:00