Hi, Cody On Thu, 19 Jul 2012 17:13:35 -0700, Cody Schafer wrote: > A large enough symbol size causes an overflow in the size parameter to the > histogram allocation, leading to a segfault in symbol__inc_addr_samples later > on when this histogram is accessed. > > In the case of being called via perf-report, this returns back and > gracefully ignores the sample, eventually ignoring the chained return > value of perf_session_deliver_event in flush_sample_queue. > > Signed-off-by: Cody Schafer <c...@linux.vnet.ibm.com> > --- > tools/perf/util/annotate.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c > index 8069dfb..6f78f20 100644 > --- a/tools/perf/util/annotate.c > +++ b/tools/perf/util/annotate.c > @@ -426,8 +426,13 @@ int symbol__alloc_hist(struct symbol *sym) > { > struct annotation *notes = symbol__annotation(sym); > const size_t size = symbol__size(sym); > - size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64)); > + size_t sizeof_sym_hist; > > + /* Check for overflow when calculating sizeof_sym_hist */ > + if (size > (SIZE_MAX / sizeof(u64))) > + return -1;
How does it guarantee that the end result which used in zalloc below would not overflow? Thanks, Namhyung > + > + sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64)); > notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * > sizeof_sym_hist); > if (notes->src == NULL) > return -1; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/