Hi, Cody
On Thu, 19 Jul 2012 17:13:35 -0700, Cody Schafer wrote:
> A large enough symbol size causes an overflow in the size parameter to the
> histogram allocation, leading to a segfault in symbol__inc_addr_samples later
> on when this histogram is accessed.
>
> In the case of being called via perf-report, this returns back and
> gracefully ignores the sample, eventually ignoring the chained return
> value of perf_session_deliver_event in flush_sample_queue.
>
> Signed-off-by: Cody Schafer <c...@linux.vnet.ibm.com>
> ---
> tools/perf/util/annotate.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
> index 8069dfb..6f78f20 100644
> --- a/tools/perf/util/annotate.c
> +++ b/tools/perf/util/annotate.c
> @@ -426,8 +426,13 @@ int symbol__alloc_hist(struct symbol *sym)
> {
> struct annotation *notes = symbol__annotation(sym);
> const size_t size = symbol__size(sym);
> - size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
> + size_t sizeof_sym_hist;
>
> + /* Check for overflow when calculating sizeof_sym_hist */
> + if (size > (SIZE_MAX / sizeof(u64)))
> + return -1;
How does it guarantee that the end result which used in zalloc below
would not overflow?
Thanks,
Namhyung
> +
> + sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
> notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events *
> sizeof_sym_hist);
> if (notes->src == NULL)
> return -1;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
