Re: [PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu
Date: Sat, 06 Jun 2026 20:23:35 +0000	[thread overview]
Message-ID: <20260606202336.0F9321F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260606200601.1861227-3-acme@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing bounds validation for the untrusted `sample->cpu` index when accessing the dynamically allocated `env->cpu` array in `machine__resolve()`.
--

commit 50d04a9b8194c04adf66854548c5855bbd4c23f4
Author: Arnaldo Carvalho de Melo <acme@redhat.com>

perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu

This commit introduces a safe accessor, perf_env__get_cpu_topology(), to
prevent NULL pointer dereferences when accessing env->cpu on older
perf.data files. It also updates several topology aggregation callbacks
in builtin-stat.c to use this new accessor.

> diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
> index 7621d1f73b83a..7acca39b42ff3 100644
> --- a/tools/perf/util/env.h
> +++ b/tools/perf/util/env.h

[ ... ]

> @@ -187,6 +187,20 @@ const char *perf_env__pmu_mappings(struct perf_env *env);
>  
>  int perf_env__read_cpu_topology_map(struct perf_env *env);
>  
> +/*
> + * Safe accessor for env->cpu[] topology array.  env->cpu can be NULL when
> + * reading old-format perf.data that predates topology information —
> + * process_cpu_topology() in header.c frees it while nr_cpus_avail remains
> + * set, so callers must not index env->cpu[] without this check.
> + */
> +static inline struct cpu_topology_map *
> +perf_env__get_cpu_topology(struct perf_env *env, struct perf_cpu cpu)
> +{
> +	if (env->cpu && cpu.cpu >= 0 && cpu.cpu < env->nr_cpus_avail)
> +		return &env->cpu[cpu.cpu];
> +	return NULL;
> +}

[Severity: High]
This is a pre-existing issue, but I noticed that tools/perf/util/event.c
accesses the dynamically allocated env->cpu array without validation.

In machine__resolve():

	if (al->cpu >= 0) {
		struct perf_env *env = machine->env;

		if (env && env->cpu)
			al->socket = env->cpu[al->cpu].socket_id;
	}

Since al->cpu is derived from the untrusted perf.data file payload,
can this trigger an out-of-bounds heap read on env->cpu[] if the
file provides an artificially large CPU index?

Would it make sense to update machine__resolve() to use this new
perf_env__get_cpu_topology() helper to ensure proper validation against
env->nr_cpus_avail?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260606200601.1861227-1-acme@kernel.org?part=2

next prev parent reply	other threads:[~2026-06-06 20:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-06 20:05 [PATCH v1 0/7] perf tools: Fix NULL derefs, OOB reads, use-after-free, and memory leaks Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 1/7] perf mmap: Fix NULL deref in aio cleanup on alloc failure Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu Arnaldo Carvalho de Melo
2026-06-06 20:23   ` sashiko-bot [this message]
2026-06-06 21:47     ` Arnaldo Melo
2026-06-06 20:05 ` [PATCH 3/7] perf c2c: Fix use-after-free in he__get_c2c_hists() error path Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 4/7] perf timechart: Fix cpu2y() OOB read on untrusted CPU index Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 5/7] perf tools: Fix int16_t truncation of max_cpu_num in set_max_cpu_num() Arnaldo Carvalho de Melo
2026-06-06 20:19   ` sashiko-bot
2026-06-06 20:05 ` [PATCH 6/7] perf sched: Free callchain nodes in idle thread cleanup Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 7/7] libperf: Document struct perf_cpu int16_t ABI limitation Arnaldo Carvalho de Melo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260606202336.0F9321F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=acme@kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.