From: sashiko-bot@kernel.org
To: "Tanushree Shah" <tshah@linux.ibm.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v2] perf dso: Fix kallsyms DSO detection with fallback logic
Date: Thu, 16 Apr 2026 11:09:04 +0000 [thread overview]
Message-ID: <20260416110905.3A68AC2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260416091657.578429-2-tshah@linux.ibm.com>
Sashiko AI review found 2 potential issue(s):
- [High] Path Traversal and Information Disclosure due to `strncmp` matching any prefix.
- [Medium] Incomplete fix: Fallback logic is missing from `dso__is_kcore()` and `dso__is_vmlinux()`.
--
commit 9ee80283f13c6a0a5235a2add7a94736c1dfcbba
Author: Tanushree Shah <tshah@linux.ibm.com>
perf dso: Fix kallsyms DSO detection with fallback logic
This commit fixes an issue where kallsyms DSOs are not correctly identified
during build-id injection because the dso_binary_type is not yet set. It
adds a fallback string matching check against the DSO's long_name.
> diff --git a/tools/perf/util/dso.h b/tools/perf/util/dso.h
> index ede691e9a2495..515ab6e95b0e4 100644
> --- a/tools/perf/util/dso.h
> +++ b/tools/perf/util/dso.h
[ ... ]
> @@ -915,6 +917,14 @@ static inline bool dso__is_kallsyms(const struct dso *dso)
> {
> enum dso_binary_type bt = dso__binary_type(dso);
>
> + if (bt == DSO_BINARY_TYPE__NOT_FOUND) {
Since the fallback logic was added here because dso_binary_type(dso) is
DSO_BINARY_TYPE__NOT_FOUND during perf record and inject, do dso__is_kcore()
and dso__is_vmlinux() require a similar fallback?
Looking at dso__cache_build_id(), it relies on dso__is_kcore() to flag the
DSO for special caching logic. If dso__is_kcore() returns false during
build-id caching, kcore DSOs are treated as regular files, which causes
nsinfo__realpath() to fail and breaks perf archive for kcore sessions.
> + return RC_CHK_ACCESS(dso)->kernel &&
> + ((strncmp(RC_CHK_ACCESS(dso)->long_name, DSO__NAME_KALLSYMS,
> + strlen(DSO__NAME_KALLSYMS)) == 0) ||
Does using strncmp() here allow a path traversal if long_name is
intentionally crafted?
If a malicious perf.data file contains an MMAP event with a filename like
"[kernel.kallsyms]/../../../../tmp/leak", this prefix check evaluates
to true.
Could this allow build_id_cache__cachedir() to construct a cache directory
using this malicious path, causing build_id_cache__add() to unconditionally
copy the host's /proc/kallsyms into an attacker-controlled directory?
> + (strncmp(RC_CHK_ACCESS(dso)->long_name, DSO__PREFIX_GUEST_KALLSYMS,
> + strlen(DSO__PREFIX_GUEST_KALLSYMS)) == 0));
> + }
> +
> return bt == DSO_BINARY_TYPE__KALLSYMS || bt == DSO_BINARY_TYPE__GUEST_KALLSYMS;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260416091657.578429-2-tshah@linux.ibm.com?part=1
prev parent reply other threads:[~2026-04-16 11:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 9:16 [PATCH v2] perf dso: Fix kallsyms DSO detection with fallback logic Tanushree Shah
2026-04-16 11:09 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416110905.3A68AC2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=tshah@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.