From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 4/8] perf timechart: Include file offset in CPU bounds check messages
Date: Wed, 03 Jun 2026 00:36:16 +0000 [thread overview]
Message-ID: <20260603003616.8D81B1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260602235709.1541603-5-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Out-of-bounds read vulnerability in cpu2y() when using --topology, leading to heap information leak or crash.
--
commit df9ed5394176bf63cfdd83249ffcb6787efbba52
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf timechart: Include file offset in CPU bounds check messages
This patch adds the perf.data file offset to the out-of-bounds CPU debug
messages in various timechart sample processing functions.
> diff --git a/tools/perf/builtin-timechart.c b/tools/perf/builtin-timechart.c
> index 630756bebe324..071987241a528 100644
> --- a/tools/perf/builtin-timechart.c
> +++ b/tools/perf/builtin-timechart.c
> @@ -605,8 +605,10 @@ process_sample_cpu_idle(struct timechart *tchart __maybe_unused,
> u32 state = perf_sample__intval(sample, "state");
> u32 cpu_id = perf_sample__intval(sample, "cpu_id");
>
> + /* perf.data is untrusted input — cpu_id may be corrupted */
> if (cpu_id >= MAX_CPUS) {
> - pr_debug("Out-of-bounds cpu_id %u\n", cpu_id);
> + pr_debug("at offset %#" PRIx64 ": out-of-bounds cpu_id %u\n",
> + sample->file_offset, cpu_id);
[Severity: High]
This is a pre-existing issue, but since the bounds check logic is being
modified here, does checking against MAX_CPUS adequately protect
topology_map when using --topology?
The topology_map is dynamically allocated using the number of CPUs:
tools/perf/util/svghelper.c:svg_build_topology_map() {
...
topology_map = malloc(sizeof(int) * nr_cpus);
...
}
However, the untrusted CPU ID in the perf.data sample is only checked against
MAX_CPUS (4096) here. Later, cpu2y() accesses this array using the CPU ID:
tools/perf/util/svghelper.c:cpu2y() {
...
return cpu2slot(topology_map[cpu]) * SLOT_MULT;
}
If nr_cpus is smaller than MAX_CPUS, could a crafted perf.data with a CPU ID
between nr_cpus and 4095 cause an out-of-bounds heap read, potentially leading
to a crash or an information leak into the SVG output?
> return -1;
> }
> if (state == (u32)PWR_EVENT_EXIT)
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260602235709.1541603-1-acme@kernel.org?part=4
next prev parent reply other threads:[~2026-06-03 0:36 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 23:56 [PATCHES 0/8] perf tools: Diagnostic offsets in skip messages + two hardening fixes Arnaldo Carvalho de Melo
2026-06-02 23:57 ` [PATCH 1/8] perf sample: Add file_offset field to struct perf_sample Arnaldo Carvalho de Melo
2026-06-03 15:11 ` Ian Rogers
2026-06-02 23:57 ` [PATCH 2/8] perf session: Include file offset in event skip/stop messages Arnaldo Carvalho de Melo
2026-06-03 15:12 ` Ian Rogers
2026-06-02 23:57 ` [PATCH 3/8] perf sched: Include file offset in event skip messages Arnaldo Carvalho de Melo
2026-06-03 15:13 ` Ian Rogers
2026-06-02 23:57 ` [PATCH 4/8] perf timechart: Include file offset in CPU bounds check messages Arnaldo Carvalho de Melo
2026-06-03 0:36 ` sashiko-bot [this message]
2026-06-03 15:14 ` Ian Rogers
2026-06-02 23:57 ` [PATCH 5/8] perf tools: Include file offset and event type name in skip messages Arnaldo Carvalho de Melo
2026-06-03 15:14 ` Ian Rogers
2026-06-02 23:57 ` [PATCH 6/8] perf timechart: Fix cat_backtrace() use-after-free on corrupted callchain Arnaldo Carvalho de Melo
2026-06-03 15:16 ` Ian Rogers
2026-06-02 23:57 ` [PATCH 7/8] perf sched: Replace BUG_ON on invalid CPU with graceful skip Arnaldo Carvalho de Melo
2026-06-03 1:16 ` sashiko-bot
2026-06-03 15:17 ` Ian Rogers
2026-06-02 23:57 ` [PATCH 8/8] perf test: Add file offset diagnostic test for corrupted perf.data Arnaldo Carvalho de Melo
2026-06-03 1:32 ` sashiko-bot
2026-06-03 15:19 ` Ian Rogers
2026-06-03 15:06 ` [PATCHES 0/8] perf tools: Diagnostic offsets in skip messages + two hardening fixes Ian Rogers
2026-06-03 19:27 ` Arnaldo Carvalho de Melo
2026-06-03 19:44 ` Ian Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603003616.8D81B1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.