From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v16 5/5] perf aslr: Strip sample registers
Date: Sat, 06 Jun 2026 15:33:38 +0000 [thread overview]
Message-ID: <20260606153339.752771F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260606151451.2913860-6-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] Incorrect size bounds check for config1 and config2 overwrites the trailing id[] array in older (ABI0/VER0) events.
- [High] Failure to mask unsupported sample_type bits leads to parsing failures on newer perf.data formats.
Pre-existing issues:
- [High] Cross-endian `perf.data` files are corrupted during ASLR injection due to mixed endianness in the synthesized `new_event` payload.
--
commit 7fad8822f4c998bf1af1ae27d27ca2449d9ecea7
Author: Ian Rogers <irogers@google.com>
perf aslr: Strip sample registers
This patch refactors the ASLR tool to strip out only the register dump
payload by masking out the relevant perf_event_attr fields when the
delegated tool is handling the data. It maintains the original
perf_event_attr values via an aslr_evsel_priv struct looked up in the
evsel_orig_attrs hashmap.
> diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
> index 00a54d1c7e41f..c852ade3c4e37 100644
> --- a/tools/perf/builtin-inject.c
> +++ b/tools/perf/builtin-inject.c
> @@ -254,6 +254,12 @@ static int perf_event__repipe_attr(const struct perf_tool *tool,
> return -ENOMEM;
> memcpy(stripped_event, event, event->header.size);
> stripped_event->attr.attr.sample_type &= ASLR_SUPPORTED_SAMPLE_TYPE;
> + if (stripped_event->attr.attr.size >=
> + (offsetof(struct perf_event_attr, sample_regs_user) + sizeof(u64)))
> + stripped_event->attr.attr.sample_regs_user = 0;
> + if (stripped_event->attr.attr.size >=
> + (offsetof(struct perf_event_attr, sample_regs_intr) + sizeof(u64)))
> + stripped_event->attr.attr.sample_regs_intr = 0;
>
> if (stripped_event->attr.attr.type == PERF_TYPE_BREAKPOINT &&
> event->header.size >= (offsetof(struct perf_record_header_attr,
[Severity: High]
Does this bounds check for config1 and config2 overwrite the trailing id[] array
in older (ABI0/VER0) events?
In perf_event__repipe_attr(), when clearing config1 and config2 for
kprobe/uprobe events, the size check validates against event->header.size rather
than stripped_event->attr.attr.size.
In older perf records, config2 is not part of the perf_event_attr payload, and
the id[] array begins exactly at offset 64. However, event->header.size includes
the size of the appended id[] array.
If an event has a 64-byte attr.size and an appended id[] array, the validation
will incorrectly pass and the code will write 0 to config2 (offset 72),
overwriting id[0]. Can this corrupt the unique event ID and break event
demuxing for downstream readers?
[ ... ]
> diff --git a/tools/perf/util/aslr.c b/tools/perf/util/aslr.c
> index 7afa5a0dac2f3..bac41bff1b2a3 100644
> --- a/tools/perf/util/aslr.c
> +++ b/tools/perf/util/aslr.c
[ ... ]
> @@ -668,6 +693,10 @@ static int aslr_tool__process_sample(const struct perf_tool *tool,
> u64 addr;
> size_t i;
> size_t j;
> + struct aslr_evsel_priv *priv = NULL;
> + u64 orig_sample_type;
> + u64 orig_regs_user;
> + u64 orig_regs_intr;
> bool orig_needs_swap;
>
> del_tool = container_of(tool, struct delegate_tool, tool);
> @@ -678,7 +707,23 @@ static int aslr_tool__process_sample(const struct perf_tool *tool,
> return delegate->sample(delegate, event, sample, machine);
>
> ret = -EFAULT;
> - sample_type = evsel->core.attr.sample_type;
> +
> + if (hashmap__find(&aslr->evsel_orig_attrs, evsel, &priv)) {
> + orig_sample_type = priv->orig_sample_type;
> + orig_regs_user = priv->orig_sample_regs_user;
> + orig_regs_intr = priv->orig_sample_regs_intr;
> + } else {
> + orig_sample_type = evsel->core.attr.sample_type;
> + orig_regs_user = evsel->core.attr.sample_regs_user;
> + orig_regs_intr = evsel->core.attr.sample_regs_intr;
> + }
> +
> + orig_sample_size = evsel->sample_size;
> +
> + sample_type = orig_sample_type;
> + sample_type &= ~PERF_SAMPLE_REGS_USER;
> + sample_type &= ~PERF_SAMPLE_REGS_INTR;
> +
[Severity: High]
Does failing to mask out unsupported sample_type bits lead to parsing failures
on newer perf.data formats?
In aslr_tool__process_sample(), the sample_type used to synthesize the new
event is derived from orig_sample_type by masking out only
PERF_SAMPLE_REGS_USER and PERF_SAMPLE_REGS_INTR.
Because this fails to mask out unsupported bits (unlike the pre-patch logic
which used &= ASLR_SUPPORTED_SAMPLE_TYPE), and the extraction loop (COPY_U64)
lacks handlers for unknown/unsupported bits, they are dropped from the
new_event payload.
However, since evsel->core.attr.sample_type = sample_type advertises these
bits as present, the subsequent call to evsel__parse_sample() will expect to
find them in the array. Can this mismatch cause the parser to read misaligned or
out-of-bounds data when processing traces from newer perf tools?
> max_i = (event->header.size - sizeof(struct perf_event_header)) / sizeof(__u64);
> max_j = (PERF_SAMPLE_MAX_SIZE - sizeof(struct perf_event_header)) / sizeof(__u64);
> new_event = (union perf_event *)aslr->event_copy;
> @@ -727,25 +772,25 @@ static int aslr_tool__process_sample(const struct perf_tool *tool,
> i++; \
> } while (0)
>
> - if (sample_type & PERF_SAMPLE_IDENTIFIER)
> + if (orig_sample_type & PERF_SAMPLE_IDENTIFIER)
> COPY_U64(); /* id */
[Severity: High]
This isn't a bug introduced by this patch, but can cross-endian perf.data files
be corrupted during ASLR injection due to mixed endianness in the synthesized
new_event payload?
In aslr_tool__process_sample(), new_event is synthesized using a combination
of COPY_U64() and REMAP_U64(). COPY_U64() copies directly from the original
event->sample.array, which is in the original file's endianness (perf core
does not swap sample payloads in-place).
However, REMAP_U64() computes remapped addresses and writes them in host
endianness. For cross-endian perf.data files, this results in a corrupted,
mixed-endian payload.
Furthermore, evsel->needs_swap = false forces the subsequent parser and the
delegated tool to treat the entire payload as host-endian, which permanently
corrupts fields like TID, TIME, and IDENTIFIER in the injected output file.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260606151451.2913860-1-irogers@google.com?part=5
next prev parent reply other threads:[~2026-06-06 15:33 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 22:05 [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-04-24 22:05 ` [PATCH v1 2/2] perf test: Add inject ASLR test Ian Rogers
2026-04-24 22:47 ` sashiko-bot
2026-04-24 22:36 ` [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses sashiko-bot
2026-04-25 2:05 ` [PATCH v2 " Ian Rogers
2026-04-25 2:05 ` [PATCH v2 2/2] perf test: Add inject ASLR test Ian Rogers
2026-05-04 3:51 ` [PATCH v3 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 3:51 ` [PATCH v3 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 3:51 ` [PATCH v3 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 3:51 ` [PATCH v3 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 4:51 ` sashiko-bot
2026-05-04 3:51 ` [PATCH v3 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 5:02 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 7:29 ` [PATCH v4 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 7:29 ` [PATCH v4 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 7:29 ` [PATCH v4 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 8:39 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 8:48 ` sashiko-bot
2026-05-04 8:23 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-06 0:45 ` [PATCH v5 0/5] " Ian Rogers
2026-05-06 0:45 ` [PATCH v5 1/5] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-06 13:22 ` Arnaldo Carvalho de Melo
2026-05-06 16:16 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 2/5] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-06 0:45 ` [PATCH v5 3/5] perf symbols: Fix map removal sequence inside dso__process_kernel_symbol() Ian Rogers
2026-05-06 1:45 ` sashiko-bot
2026-05-06 0:45 ` [PATCH v5 4/5] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-06 2:40 ` sashiko-bot
2026-05-06 18:52 ` Namhyung Kim
2026-05-06 20:01 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 5/5] perf test: Add inject ASLR test Ian Rogers
2026-05-07 15:58 ` James Clark
2026-05-07 16:17 ` Ian Rogers
2026-05-08 10:42 ` James Clark
2026-05-08 10:49 ` James Clark
2026-05-08 8:27 ` [PATCH v6 0/6] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-08 8:27 ` [PATCH v6 1/6] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-08 8:27 ` [PATCH v6 2/6] perf tool: Missing delegate_tool schedstat delegates and dont_split_sample_group Ian Rogers
2026-05-08 8:27 ` [PATCH v6 3/6] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-08 10:57 ` James Clark
2026-05-08 20:37 ` sashiko-bot
2026-05-11 7:07 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 4/6] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-08 21:22 ` sashiko-bot
2026-05-11 7:32 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 5/6] perf test: Add inject ASLR test Ian Rogers
2026-05-08 13:29 ` James Clark
2026-05-08 14:29 ` James Clark
2026-05-11 7:34 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 6/6] perf aslr: Strip sample registers Ian Rogers
2026-05-08 21:49 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 0/4] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-05-19 8:08 ` [PATCH v7 1/4] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-19 8:38 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 2/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-19 9:14 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 3/4] perf test: Add inject ASLR test Ian Rogers
2026-05-19 8:08 ` [PATCH v7 4/4] perf aslr: Strip sample registers Ian Rogers
2026-05-19 9:55 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 0/4] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-05-20 6:30 ` [PATCH v8 1/4] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-20 7:06 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 2/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-20 7:50 ` sashiko-bot
2026-05-23 14:44 ` kernel test robot
2026-05-20 6:30 ` [PATCH v8 3/4] perf test: Add inject ASLR test Ian Rogers
2026-05-20 8:02 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 4/4] perf aslr: Strip sample registers Ian Rogers
2026-05-20 8:41 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-04 17:28 ` [PATCH v9 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-04 17:46 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-04 17:40 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 6:06 ` [PATCH v10 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 6:20 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 6:06 ` [PATCH v10 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 6:30 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 6:13 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 18:52 ` [PATCH v11 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 18:52 ` [PATCH v11 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:06 ` sashiko-bot
2026-06-05 18:52 ` [PATCH v11 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 19:07 ` sashiko-bot
2026-06-05 18:52 ` [PATCH v11 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 18:52 ` [PATCH v11 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 18:52 ` [PATCH v11 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 19:24 ` [PATCH v12 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 19:24 ` [PATCH v12 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:24 ` [PATCH v12 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 19:38 ` sashiko-bot
2026-06-05 19:24 ` [PATCH v12 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 19:24 ` [PATCH v12 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 19:24 ` [PATCH v12 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 19:48 ` [PATCH v13 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 19:48 ` [PATCH v13 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:48 ` [PATCH v13 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 20:06 ` sashiko-bot
2026-06-05 19:48 ` [PATCH v13 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 19:48 ` [PATCH v13 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 19:48 ` [PATCH v13 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 20:04 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 20:56 ` [PATCH v14 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 20:56 ` [PATCH v14 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 21:12 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 23:17 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 21:05 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 7:21 ` [PATCH v15 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-06 7:21 ` [PATCH v15 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-06 7:21 ` [PATCH v15 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-06 7:38 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-06 7:36 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-06 7:31 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 7:38 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-06 15:14 ` [PATCH v16 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-06 15:14 ` [PATCH v16 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-06 15:31 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-06 15:30 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-06 15:14 ` [PATCH v16 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 15:33 ` sashiko-bot [this message]
2026-06-07 6:09 ` [PATCH v17 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-07 6:09 ` [PATCH v17 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-07 6:09 ` [PATCH v17 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-07 6:09 ` [PATCH v17 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-07 6:27 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 4/5] perf aslr: Strip sample registers Ian Rogers
2026-06-07 6:27 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 5/5] perf test: Add inject ASLR test Ian Rogers
2026-06-07 6:18 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260606153339.752771F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.