glibc/gmon
Леонид Юрьев (Leonid Yuriev) 8e1a8e04b1 gmon: Fix allocated buffer overflow (bug 29444)
The `__monstartup()` allocates a buffer used to store all the data
accumulated by the monitor.

The size of this buffer depends on the size of the internal structures
used and the address range for which the monitor is activated, as well
as on the maximum density of call instructions and/or callable functions
that could be potentially on a segment of executable code.

In particular a hash table of arcs is placed at the end of this buffer.
The size of this hash table is calculated in bytes as
   p->fromssize = p->textsize / HASHFRACTION;

but actually should be
   p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));

This results in writing beyond the end of the allocated buffer when an
added arc corresponds to a call near from the end of the monitored
address range, since `_mcount()` check the incoming caller address for
monitored range but not the intermediate result hash-like index that
uses to write into the table.

It should be noted that when the results are output to `gmon.out`, the
table is read to the last element calculated from the allocated size in
bytes, so the arcs stored outside the buffer boundary did not fall into
`gprof` for analysis. Thus this "feature" help me to found this bug
during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438

Just in case, I will explicitly note that the problem breaks the
`make test t=gmon/tst-gmon-dso` added for Bug 29438.
There, the arc of the `f3()` call disappears from the output, since in
the DSO case, the call to `f3` is located close to the end of the
monitored range.

Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>

Another minor error seems a related typo in the calculation of
`kcountsize`, but since kcounts are smaller than froms, this is
actually to align the p->froms data.

Co-authored-by: DJ Delorie <dj@redhat.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 801af9fafd)
2023-04-28 16:36:48 +02:00
..
sys Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
gmon.c gmon: Fix allocated buffer overflow (bug 29444) 2023-04-28 16:36:48 +02:00
Makefile Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
mcount.c Don't use catomic functions in mcount (BZ #16912) 2014-05-06 16:30:48 +02:00
prof-freq.c Moved to csu/errno-loc.c. 2005-12-14 15:06:39 +00:00
profil.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sprofil.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-gmon-gprof.sh Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-gmon-pie.c Support profiling PIE [BZ #22284] 2017-10-12 03:49:40 -07:00
tst-gmon-static-gprof.sh Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-gmon-static-pie.c Add --enable-static-pie configure option to build static PIE [BZ #19574] 2017-12-15 17:12:14 -08:00
tst-gmon-static.c Add a test for profiling static executable 2017-10-14 12:58:55 -07:00
tst-gmon.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-profile-static.c * elf/dl-reloc.c [PROF] (_dl_relocate_object): Define 2005-07-07 02:39:45 +00:00
tst-sprofil.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
Versions linux: Make profil_counter a compat_symbol (BZ#17726) 2019-08-23 11:30:56 -03:00