Em Tue, Sep 06, 2016 at 04:49:29PM +0200, Dmitry Vyukov escreveu: > On Tue, Sep 6, 2016 at 4:44 PM, Arnaldo Carvalho de Melo > <[email protected]> wrote: > > Em Tue, Sep 06, 2016 at 04:36:08PM +0200, Peter Zijlstra escreveu: > >> On Tue, Sep 06, 2016 at 03:42:40PM +0200, Dmitry Vyukov wrote: > >> > Hello, > >> > > >> > The following program trigger an out-of-bounds write in > >> > perf_callchain_store (if run in a parallel loop): > >> > > >> > https://gist.githubusercontent.com/dvyukov/c05d883e776a353a1d063b670f50bde6/raw/1c8906b1aacfbd8a0cc0b5cf0cc4d0535345e497/gistfile1.txt > >> > > >> > > >> > BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0xe65/0xfc0 at > >> > addr ffff88003e162840 > >> > Write of size 8 by task syz-executor/22516 > >> > CPU: 0 PID: 22516 Comm: syz-executor Not tainted > >> > 4.8.0-rc5-next-20160905+ #14 > >> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs > >> > 01/01/2011 > >> > ffffffff886b6fe0 ffff88003ec07738 ffffffff82db81a9 ffffffff00000000 > >> > fffffbfff10d6dfc ffff88003e800a00 ffff88003e161740 ffff88003e163740 > >> > 0000000000000001 ffff88003e162840 ffff88003ec07760 ffffffff8180b2ec > >> > Call Trace: > >> > [<ffffffff8180b9c7>] __asan_report_store8_noabort+0x17/0x20 > >> > mm/kasan/report.c:332 > >> > [< inline >] perf_callchain_store > >> > include/linux/perf_event.h:1146 > >> > [<ffffffff81014925>] perf_callchain_user+0xe65/0xfc0 > >> > arch/x86/events/core.c:2441 > >> > [<ffffffff816c5f48>] get_perf_callchain+0x448/0x680 > >> > kernel/events/callchain.c:235 > >> > [<ffffffff816c62cd>] perf_callchain+0x14d/0x1a0 > >> > kernel/events/callchain.c:191 > >> > >> Urgh, that callchain code is a pain with that context/entries > >> separation. But I can't see an obvious overrun there. > >> > >> But WTF is max_contexts a sysctl? that doesn't seen to make any kind of > >> sense. > >> > >> Acme, can you untangle that stuff and spot the fail? > > > > I looked at it briefly some moments ago, couldn't find it so far, have > > to look at what was behind adding a sysctl for that :-\ > > > > And yeah, that entry/ctx thing, IIRC, was done to reduce patch size, > > probably needs some polishing to become clearer. > > > I believe fuzzer wasn't messing with sysctl's. > But, yeah, I guess it's really bad idea to try to change them on a > running system.
Why? They start with a reasonable value, but that is not ok for all cases, thus they were introduced, and they only can get changed if there are _no_ callchain users, so what would be the problem? - Arnaldo
