diff options
| author | Peter Zijlstra <peterz@infradead.org> | 2013-10-16 18:06:46 -0400 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2013-10-29 07:02:53 -0400 |
| commit | 2c42cfbfe10872929c2ba1f8130e31063ff59b94 (patch) | |
| tree | 588f6008befc05e2458ab0bfc8bde08315279333 | |
| parent | 3ea2f2b96f9e636f49eb10962e96db3e19cab157 (diff) | |
perf: Change zero-padding of strings in perf_event_mmap_event()
Oleg complained about the excessive 0-ing in perf_event_mmap_event(),
so try and be smarter about it while keeping it fairly fool proof and
avoid leaking random bits out to userspace.
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/n/tip-8jirlm99m6if2z13wd6rbyu6@git.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
| -rw-r--r-- | kernel/events/core.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/kernel/events/core.c b/kernel/events/core.c index b409e757cadc..85a8bbde6481 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c | |||
| @@ -5106,15 +5106,13 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) | |||
| 5106 | unsigned int size; | 5106 | unsigned int size; |
| 5107 | char tmp[16]; | 5107 | char tmp[16]; |
| 5108 | char *buf = NULL; | 5108 | char *buf = NULL; |
| 5109 | const char *name; | 5109 | char *name; |
| 5110 | |||
| 5111 | memset(tmp, 0, sizeof(tmp)); | ||
| 5112 | 5110 | ||
| 5113 | if (file) { | 5111 | if (file) { |
| 5114 | struct inode *inode; | 5112 | struct inode *inode; |
| 5115 | dev_t dev; | 5113 | dev_t dev; |
| 5116 | 5114 | ||
| 5117 | buf = kzalloc(PATH_MAX, GFP_KERNEL); | 5115 | buf = kmalloc(PATH_MAX, GFP_KERNEL); |
| 5118 | if (!buf) { | 5116 | if (!buf) { |
| 5119 | name = strncpy(tmp, "//enomem", sizeof(tmp)); | 5117 | name = strncpy(tmp, "//enomem", sizeof(tmp)); |
| 5120 | goto got_name; | 5118 | goto got_name; |
| @@ -5137,7 +5135,7 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) | |||
| 5137 | min = MINOR(dev); | 5135 | min = MINOR(dev); |
| 5138 | 5136 | ||
| 5139 | } else { | 5137 | } else { |
| 5140 | name = arch_vma_name(vma); | 5138 | name = (char *)arch_vma_name(vma); |
| 5141 | if (name) { | 5139 | if (name) { |
| 5142 | name = strncpy(tmp, name, sizeof(tmp) - 1); | 5140 | name = strncpy(tmp, name, sizeof(tmp) - 1); |
| 5143 | tmp[sizeof(tmp) - 1] = '\0'; | 5141 | tmp[sizeof(tmp) - 1] = '\0'; |
| @@ -5160,7 +5158,14 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) | |||
| 5160 | } | 5158 | } |
| 5161 | 5159 | ||
| 5162 | got_name: | 5160 | got_name: |
| 5163 | size = ALIGN(strlen(name)+1, sizeof(u64)); | 5161 | /* |
| 5162 | * Since our buffer works in 8 byte units we need to align our string | ||
| 5163 | * size to a multiple of 8. However, we must guarantee the tail end is | ||
| 5164 | * zero'd out to avoid leaking random bits to userspace. | ||
| 5165 | */ | ||
| 5166 | size = strlen(name)+1; | ||
| 5167 | while (!IS_ALIGNED(size, sizeof(u64))) | ||
| 5168 | name[size++] = '\0'; | ||
| 5164 | 5169 | ||
| 5165 | mmap_event->file_name = name; | 5170 | mmap_event->file_name = name; |
| 5166 | mmap_event->file_size = size; | 5171 | mmap_event->file_size = size; |