From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events
Date: Mon, 25 May 2026 01:54:45 +0000 [thread overview]
Message-ID: <20260525015446.763731F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260525010550.1100375-16-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Flawed TOCTOU mitigations in `perf_session__process_user_event` introduce a new double-fetch vulnerability and fail to protect downstream consumers.
--
commit 30d93e0987b40b97105d2394d829563792873b62
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events
This commit adds byte-swapping and bounds validation for PERF_RECORD_BPF_METADATA
events to prevent out-of-bounds reads when processing cross-endian perf.data files.
It handles writable cross-endian mappings by clamping values in place and validates
read-only native-endian mappings to skip malicious records.
> diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
> index 092fccbea8f80..95eb793026de6 100644
> --- a/tools/perf/util/session.c
> +++ b/tools/perf/util/session.c
[ ... ]
> @@ -2203,9 +2246,53 @@ static s64 perf_session__process_user_event(struct perf_session *session,
> case PERF_RECORD_FINISHED_INIT:
> err = tool->finished_init(tool, session, event);
> break;
> - case PERF_RECORD_BPF_METADATA:
> + case PERF_RECORD_BPF_METADATA: {
> + u64 nr_entries, max_entries;
> + u32 hdr_size = READ_ONCE(event->header.size);
[Severity: Medium]
Could the snapshotting of event->header.size introduce a double-fetch issue?
Since native-endian files are mapped as MAP_SHARED, it seems a concurrent
modification by a malicious file writer could inflate event->header.size in
the time window between the core bounds check and this READ_ONCE().
If hdr_size is inflated, the calculated max_entries would be larger than the
actual mmap region, which might cause the strnlen loop below to read out
of bounds.
> +
> + if (hdr_size < sizeof(event->bpf_metadata)) {
> + pr_warning("WARNING: PERF_RECORD_BPF_METADATA: header.size (%u) too small, skipping\n",
> + hdr_size);
> + err = 0;
> + break;
> + }
[ ... ]
> + /* Snapshot — event is mmap'd and could change between reads */
> + nr_entries = READ_ONCE(event->bpf_metadata.nr_entries);
> + max_entries = (hdr_size - sizeof(event->bpf_metadata)) /
> + sizeof(event->bpf_metadata.entries[0]);
> + if (nr_entries > max_entries) {
> + pr_warning("WARNING: PERF_RECORD_BPF_METADATA: nr_entries %" PRIu64 " exceeds max %" PRIu64 ", skipping\n",
> + nr_entries, max_entries);
> + err = 0;
> + break;
> + }
> +
> + for (u64 i = 0; i < nr_entries; i++) {
> + if (strnlen(event->bpf_metadata.entries[i].key,
> + BPF_METADATA_KEY_LEN) == BPF_METADATA_KEY_LEN ||
> + strnlen(event->bpf_metadata.entries[i].value,
> + BPF_METADATA_VALUE_LEN) == BPF_METADATA_VALUE_LEN) {
> + pr_warning("WARNING: PERF_RECORD_BPF_METADATA: entry %" PRIu64 " key/value not null-terminated, skipping\n", i);
> + err = 0;
> + goto out;
> + }
> + }
> +
> err = tool->bpf_metadata(tool, session, event);
[Severity: Medium]
Does passing the raw event pointer to downstream consumers bypass the
validation performed above?
Because the event is volatile, functions downstream might re-read
event->bpf_metadata.nr_entries directly from the memory mapping instead
of using the validated nr_entries snapshot.
Could this lead to an out-of-bounds read if the value changes after the check
but before the consumer uses it?
> break;
> + }
> case PERF_RECORD_SCHEDSTAT_CPU:
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260525010550.1100375-1-acme@kernel.org?part=15
next prev parent reply other threads:[~2026-05-25 1:54 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 1:05 [PATCHES v3 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 01/29] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-25 1:45 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 02/29] perf session: Bounds-check one_mmap event pointer in peek_event Arnaldo Carvalho de Melo
2026-05-25 1:41 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 03/29] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 04/29] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-25 1:52 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 05/29] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 06/29] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 07/29] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 08/29] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-25 1:56 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 11/29] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 12/29] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-25 1:40 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 14/29] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-25 1:54 ` sashiko-bot [this message]
2026-05-25 1:05 ` [PATCH 16/29] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 17/29] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-25 1:59 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 18/29] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-25 3:01 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 19/29] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 20/29] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 21/29] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 22/29] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-25 2:29 ` sashiko-bot
2026-05-25 15:38 ` Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 23/29] perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2 Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 24/29] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-25 2:17 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 25/29] perf session: Check for decompression buffer size overflow Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 26/29] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 27/29] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 29/29] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
2026-05-25 2:04 ` sashiko-bot
2026-05-25 15:41 ` Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-05-26 21:17 [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-26 21:56 ` sashiko-bot
2026-05-24 3:26 [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-24 4:13 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525015446.763731F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.