[timbunce/devel-nytprof] 7595dd: NYTProf.xs: prevent memory corruption in incr_sub_...
2 views
Skip to first unread message
Tim Bunce
Mar 23, 2018, 5:52:22 PM3/23/18
to develnyt...@googlegroups.com
Branch: refs/heads/master
Home: https://github.com/timbunce/devel-nytprof
Commit: 7595dd80cfb07b5d0b28ac0d084eaf9a14a50b67
https://github.com/timbunce/devel-nytprof/commit/7595dd80cfb07b5d0b28ac0d084eaf9a14a50b67
Author: Luciano Rocha <lucian...@booking.com>
Date: 2018-02-26 (Mon, 26 Feb 2018)
Changed paths:
M NYTProf.xs
Log Message:
-----------
NYTProf.xs: prevent memory corruption in incr_sub_inclusive_time
In incr_sub_inclusive_time, the write to subr_call_key could in some
circumstances write beyond the size of the buffer:
*** buffer overflow detected ***: /usr/sbin/uwsgi terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fb2c7589d87]
/lib64/libc.so.6(+0x10df40)[0x7fb2c7587f40]
/lib64/libc.so.6(+0x10d449)[0x7fb2c7587449]
/lib64/libc.so.6(_IO_default_xsputn+0xbc)[0x7fb2c74f264c]
/lib64/libc.so.6(_IO_vfprintf+0x151d)[0x7fb2c74c269d]
/lib64/libc.so.6(__vsprintf_chk+0x88)[0x7fb2c75874d8]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x7fb2c758742d]
/usr/local/git_tree/main/lib/site/lib/auto/Devel/NYTProf/NYTProf.so(+0xe483)[0x7fb2ad9f0483]
/usr/local/booking-perl/5.24.3/lib/CORE/libperl.so(Perl_leave_scope+0x116)[0x7fb2c54fc3b6]
With gdb attached I could find the function:
#10 0x00007faa38ff1363 in incr_sub_inclusive_time () from /usr/lib/pakket/5.24.3/libraries/active/lib/perl5/x86_64-linux/auto/Devel/NYTProf/NYTProf.so
Notably, the crash didn't happen with optimizations disabled, with the -g to
Makefile.PL.
There's already a check for not exceeding the size of the buffer, but that
comes after the memory corruption happens.
Changing from sprintf to snprinf fixes the memory corruption, and will return
the number of bytes that *would* have been written if enough space was
available, so the check for size still happens.
Commit: b8621ab1122a98f2bb6b200d723fbae27f8e7867
https://github.com/timbunce/devel-nytprof/commit/b8621ab1122a98f2bb6b200d723fbae27f8e7867
Author: Tim Bunce <Tim....@pobox.com>
Date: 2018-03-23 (Fri, 23 Mar 2018)
Changed paths:
M NYTProf.xs
Log Message:
-----------
Merge pull request #115 from lucrocha/master
NYTProf.xs: prevent memory corruption in incr_sub_inclusive_time
Compare: https://github.com/timbunce/devel-nytprof/compare/dab328661a10...b8621ab1122a
Home: https://github.com/timbunce/devel-nytprof
Commit: 7595dd80cfb07b5d0b28ac0d084eaf9a14a50b67
https://github.com/timbunce/devel-nytprof/commit/7595dd80cfb07b5d0b28ac0d084eaf9a14a50b67
Author: Luciano Rocha <lucian...@booking.com>
Date: 2018-02-26 (Mon, 26 Feb 2018)
Changed paths:
M NYTProf.xs
Log Message:
-----------
NYTProf.xs: prevent memory corruption in incr_sub_inclusive_time
In incr_sub_inclusive_time, the write to subr_call_key could in some
circumstances write beyond the size of the buffer:
*** buffer overflow detected ***: /usr/sbin/uwsgi terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fb2c7589d87]
/lib64/libc.so.6(+0x10df40)[0x7fb2c7587f40]
/lib64/libc.so.6(+0x10d449)[0x7fb2c7587449]
/lib64/libc.so.6(_IO_default_xsputn+0xbc)[0x7fb2c74f264c]
/lib64/libc.so.6(_IO_vfprintf+0x151d)[0x7fb2c74c269d]
/lib64/libc.so.6(__vsprintf_chk+0x88)[0x7fb2c75874d8]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x7fb2c758742d]
/usr/local/git_tree/main/lib/site/lib/auto/Devel/NYTProf/NYTProf.so(+0xe483)[0x7fb2ad9f0483]
/usr/local/booking-perl/5.24.3/lib/CORE/libperl.so(Perl_leave_scope+0x116)[0x7fb2c54fc3b6]
With gdb attached I could find the function:
#10 0x00007faa38ff1363 in incr_sub_inclusive_time () from /usr/lib/pakket/5.24.3/libraries/active/lib/perl5/x86_64-linux/auto/Devel/NYTProf/NYTProf.so
Notably, the crash didn't happen with optimizations disabled, with the -g to
Makefile.PL.
There's already a check for not exceeding the size of the buffer, but that
comes after the memory corruption happens.
Changing from sprintf to snprinf fixes the memory corruption, and will return
the number of bytes that *would* have been written if enough space was
available, so the check for size still happens.
Commit: b8621ab1122a98f2bb6b200d723fbae27f8e7867
https://github.com/timbunce/devel-nytprof/commit/b8621ab1122a98f2bb6b200d723fbae27f8e7867
Author: Tim Bunce <Tim....@pobox.com>
Date: 2018-03-23 (Fri, 23 Mar 2018)
Changed paths:
M NYTProf.xs
Log Message:
-----------
Merge pull request #115 from lucrocha/master
NYTProf.xs: prevent memory corruption in incr_sub_inclusive_time
Compare: https://github.com/timbunce/devel-nytprof/compare/dab328661a10...b8621ab1122a
Reply all
Reply to author
Forward
0 new messages