diff mbox series

perf tests: Fix out of bounds memory access

Message ID 20191107014848.30008-1-leo.yan@linaro.org
State Superseded
Headers show
Series perf tests: Fix out of bounds memory access | expand

Commit Message

Leo Yan Nov. 7, 2019, 1:48 a.m. UTC
The test case 'Read backward ring buffer' failed on 32bit architectures
which were found by LKFT pert testing.  The test failed on arm32 x15
device, qemu_arm32, qemu_i386, and found intermittent failure on i386;
the failure log is as below:

  50: Read backward ring buffer                  :
  --- start ---
  test child forked, pid 510
  Using CPUID GenuineIntel-6-9E-9
  mmap size 1052672B
  mmap size 8192B
  Finished reading overwrite ring buffer: rewind
  free(): invalid next size (fast)
  test child interrupted
  ---- end ----
  Read backward ring buffer: FAILED!

The log hints there have issues for memory usage, thus free() reports
error 'invalid next size' and directly exit for the case.  Finally, this
issue is root caused as out of bounds memory access for the data array
'evsel->id'.

The backward ring buffer test invokes do_test() twice.  'evsel->id' is
allocated at the first call with the flow:

  test__backward_ring_buffer()
    `-> do_test()
	  `-> evlist__mmap()
	        `-> evlist__mmap_ex()
	              `-> perf_evsel__alloc_id()

So 'evsel->id' is allocated with one item, and it will be used in
function perf_evlist__id_add():

   evsel->id[0] = id
   evsel->ids   = 1

At the second call for do_test(), it skips to initialize 'evsel->id'
and reuses the array which is allocated in the first call.  But
'evsel->ids' contains the stale value.  Thus:

   evsel->id[1] = id    -> out of bound access
   evsel->ids   = 2

To fix this issue, we will use evlist__open() and evlist__close() pair
functions to prepare and cleanup context for evlist; so 'evsel->id' and
'evsel->ids' can be initialized properly when invoke do_test() and avoid
the out of bounds memory access.

Signed-off-by: Leo Yan <leo.yan@linaro.org>

---
 tools/perf/tests/backward-ring-buffer.c | 9 +++++++++
 1 file changed, 9 insertions(+)

-- 
2.17.1

Comments

Leo Yan Nov. 7, 2019, 2:04 a.m. UTC | #1
On Thu, Nov 07, 2019 at 09:48:48AM +0800, Leo Yan wrote:
> The test case 'Read backward ring buffer' failed on 32bit architectures

> which were found by LKFT pert testing.  The test failed on arm32 x15

                           ^^^^
                           s/pert/perf

Sorry for typo and spamming, I sent patch v2 for reviewing.

Thanks,
Leo Yan

> device, qemu_arm32, qemu_i386, and found intermittent failure on i386;

> the failure log is as below:

> 

>   50: Read backward ring buffer                  :

>   --- start ---

>   test child forked, pid 510

>   Using CPUID GenuineIntel-6-9E-9

>   mmap size 1052672B

>   mmap size 8192B

>   Finished reading overwrite ring buffer: rewind

>   free(): invalid next size (fast)

>   test child interrupted

>   ---- end ----

>   Read backward ring buffer: FAILED!

> 

> The log hints there have issues for memory usage, thus free() reports

> error 'invalid next size' and directly exit for the case.  Finally, this

> issue is root caused as out of bounds memory access for the data array

> 'evsel->id'.

> 

> The backward ring buffer test invokes do_test() twice.  'evsel->id' is

> allocated at the first call with the flow:

> 

>   test__backward_ring_buffer()

>     `-> do_test()

> 	  `-> evlist__mmap()

> 	        `-> evlist__mmap_ex()

> 	              `-> perf_evsel__alloc_id()

> 

> So 'evsel->id' is allocated with one item, and it will be used in

> function perf_evlist__id_add():

> 

>    evsel->id[0] = id

>    evsel->ids   = 1

> 

> At the second call for do_test(), it skips to initialize 'evsel->id'

> and reuses the array which is allocated in the first call.  But

> 'evsel->ids' contains the stale value.  Thus:

> 

>    evsel->id[1] = id    -> out of bound access

>    evsel->ids   = 2

> 

> To fix this issue, we will use evlist__open() and evlist__close() pair

> functions to prepare and cleanup context for evlist; so 'evsel->id' and

> 'evsel->ids' can be initialized properly when invoke do_test() and avoid

> the out of bounds memory access.

> 

> Signed-off-by: Leo Yan <leo.yan@linaro.org>

> ---

>  tools/perf/tests/backward-ring-buffer.c | 9 +++++++++

>  1 file changed, 9 insertions(+)

> 

> diff --git a/tools/perf/tests/backward-ring-buffer.c b/tools/perf/tests/backward-ring-buffer.c

> index 338cd9faa835..5128f727c0ef 100644

> --- a/tools/perf/tests/backward-ring-buffer.c

> +++ b/tools/perf/tests/backward-ring-buffer.c

> @@ -147,6 +147,15 @@ int test__backward_ring_buffer(struct test *test __maybe_unused, int subtest __m

>  		goto out_delete_evlist;

>  	}

>  

> +	evlist__close(evlist);

> +

> +	err = evlist__open(evlist);

> +	if (err < 0) {

> +		pr_debug("perf_evlist__open: %s\n",

> +			 str_error_r(errno, sbuf, sizeof(sbuf)));

> +		goto out_delete_evlist;

> +	}

> +

>  	err = do_test(evlist, 1, &sample_count, &comm_count);

>  	if (err != TEST_OK)

>  		goto out_delete_evlist;

> -- 

> 2.17.1

>
diff mbox series

Patch

diff --git a/tools/perf/tests/backward-ring-buffer.c b/tools/perf/tests/backward-ring-buffer.c
index 338cd9faa835..5128f727c0ef 100644
--- a/tools/perf/tests/backward-ring-buffer.c
+++ b/tools/perf/tests/backward-ring-buffer.c
@@ -147,6 +147,15 @@  int test__backward_ring_buffer(struct test *test __maybe_unused, int subtest __m
 		goto out_delete_evlist;
 	}
 
+	evlist__close(evlist);
+
+	err = evlist__open(evlist);
+	if (err < 0) {
+		pr_debug("perf_evlist__open: %s\n",
+			 str_error_r(errno, sbuf, sizeof(sbuf)));
+		goto out_delete_evlist;
+	}
+
 	err = do_test(evlist, 1, &sample_count, &comm_count);
 	if (err != TEST_OK)
 		goto out_delete_evlist;