glibc/gmon
Simon Kissane bde1218720 gmon: fix memory corruption issues [BZ# 30101]
V2 of this patch fixes an issue in V1, where the state was changed to ON not
OFF at end of _mcleanup. I hadn't noticed that (counterintuitively) ON=0 and
OFF=3, hence zeroing the buffer turned it back on. So set the state to OFF
after the memset.

1. Prevent double free, and reads from unallocated memory, when
   _mcleanup is (incorrectly) called two or more times in a row,
   without an intervening call to __monstartup; with this patch, the
   second and subsequent calls effectively become no-ops instead.
   While setting tos=NULL is minimal fix, safest action is to zero the
   whole gmonparam buffer.

2. Prevent memory leak when __monstartup is (incorrectly) called two
   or more times in a row, without an intervening call to _mcleanup;
   with this patch, the second and subsequent calls effectively become
   no-ops instead.

3. After _mcleanup, treat __moncontrol(1) as __moncontrol(0) instead.
   With zeroing of gmonparam buffer in _mcleanup, this stops the
   state incorrectly being changed to GMON_PROF_ON despite profiling
   actually being off. If we'd just done the minimal fix to _mcleanup
   of setting tos=NULL, there is risk of far worse memory corruption:
   kcount would point to deallocated memory, and the __profil syscall
   would make the kernel write profiling data into that memory,
   which could have since been reallocated to something unrelated.

4. Ensure __moncontrol(0) still turns off profiling even in error
   state. Otherwise, if mcount overflows and sets state to
   GMON_PROF_ERROR, when _mcleanup calls __moncontrol(0), the __profil
   syscall to disable profiling will not be invoked. _mcleanup will
   free the buffer, but the kernel will still be writing profiling
   data into it, potentially corrupted arbitrary memory.

Also adds a test case for (1). Issues (2)-(4) are not feasible to test.

Signed-off-by: Simon Kissane <skissane@gmail.com>
Reviewed-by: DJ Delorie <dj@redhat.com>
2023-02-22 21:03:30 -05:00
..
sys gmon: improve mcount overflow handling [BZ# 27576] 2023-02-22 21:00:14 -05:00
gmon.c gmon: fix memory corruption issues [BZ# 30101] 2023-02-22 21:03:30 -05:00
Makefile gmon: fix memory corruption issues [BZ# 30101] 2023-02-22 21:03:30 -05:00
mcount.c gmon: improve mcount overflow handling [BZ# 27576] 2023-02-22 21:00:14 -05:00
prof-freq.c Moved to csu/errno-loc.c. 2005-12-14 15:06:39 +00:00
profil.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sprofil.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-gmon-gprof.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-gmon-pie.c Support profiling PIE [BZ #22284] 2017-10-12 03:49:40 -07:00
tst-gmon-static-gprof.sh Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-gmon-static-pie.c Add --enable-static-pie configure option to build static PIE [BZ #19574] 2017-12-15 17:12:14 -08:00
tst-gmon-static.c Add a test for profiling static executable 2017-10-14 12:58:55 -07:00
tst-gmon.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-mcleanup.c gmon: fix memory corruption issues [BZ# 30101] 2023-02-22 21:03:30 -05:00
tst-mcount-overflow-check.sh gmon: improve mcount overflow handling [BZ# 27576] 2023-02-22 21:00:14 -05:00
tst-mcount-overflow.c gmon: improve mcount overflow handling [BZ# 27576] 2023-02-22 21:00:14 -05:00
tst-profile-static.c * elf/dl-reloc.c [PROF] (_dl_relocate_object): Define 2005-07-07 02:39:45 +00:00
tst-sprofil.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
Versions linux: Make profil_counter a compat_symbol (BZ#17726) 2019-08-23 11:30:56 -03:00