tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

perf tools kvm: Fix the potential out of range memory access issue

kvm_add_default_arch_event() helper may add 2 extra options but it
directly modifies the original argv[] array. This may cause out of range
memory access. Fix this issue.

Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

authored by

Dapeng Mi and committed by
Arnaldo Carvalho de Melo 45ff39f6 6f58cf10

+10 -5
+10 -5
tools/perf/builtin-kvm.c
··· 2008 2008 int rec_argc, i = 0, j, ret; 2009 2009 const char **rec_argv; 2010 2010 2011 - ret = kvm_add_default_arch_event(&argc, argv); 2012 - if (ret) 2013 - return -EINVAL; 2014 - 2015 - rec_argc = argc + 2; 2011 + /* 2012 + * Besides the 2 more options "-o" and "filename", 2013 + * kvm_add_default_arch_event() may add 2 extra options, 2014 + * so allocate 4 more items. 2015 + */ 2016 + rec_argc = argc + 2 + 2; 2016 2017 rec_argv = calloc(rec_argc + 1, sizeof(char *)); 2017 2018 if (!rec_argv) 2018 2019 return -ENOMEM; ··· 2025 2024 rec_argv[i] = STRDUP_FAIL_EXIT(argv[j]); 2026 2025 2027 2026 BUG_ON(i != rec_argc); 2027 + 2028 + ret = kvm_add_default_arch_event(&i, rec_argv); 2029 + if (ret) 2030 + goto EXIT; 2028 2031 2029 2032 ret = cmd_record(i, rec_argv); 2030 2033