From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v17 4/5] perf aslr: Strip sample registers
Date: Sun, 07 Jun 2026 06:27:41 +0000 [thread overview]
Message-ID: <20260607062741.A4C421F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260607060933.3274263-5-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] ASLR stripping of breakpoint and kprobe/uprobe fields is bypassed, and sample_type is corrupted, when processing cross-endian traces due to incorrect bswap logic.
--
commit dd031a94e79bda6ae3f56773d70deec897c2f043
Author: Ian Rogers <irogers@google.com>
perf aslr: Strip sample registers
Extend the ASLR tool stripping helpers to drop register dump payloads
by masking out the relevant perf_event_attr fields (sample_regs_user,
sample_regs_intr) when the delegated tool is handling the data.
struct aslr_evsel_priv maintains the original perf_event_attr values
and is looked up via the evsel_orig_attrs hashmap so that sample sizes
can be properly parsed even when bits are stripped from the pipeline.
> diff --git a/tools/perf/util/aslr.c b/tools/perf/util/aslr.c
> index 8980599b0158f..bf6bb27153573 100644
> --- a/tools/perf/util/aslr.c
> +++ b/tools/perf/util/aslr.c
[ ... ]
> @@ -1120,43 +1200,44 @@ static int aslr_tool__process_auxtrace_error(const struct perf_tool *tool __mayb
> return 0;
> }
>
> -
> -void aslr_tool__strip_attr_event(union perf_event *event, struct evlist **pevlist)
> +void aslr_tool__strip_attr_event(union perf_event *event, struct evlist *evlist)
> {
> struct evsel *evsel;
> bool needs_swap = false;
>
[ ... ]
> if (event->header.size >= (offsetof(struct perf_record_header_attr,
> attr.sample_type) + sizeof(u64))) {
> - u64 st = event->attr.attr.sample_type;
> -
> - if (needs_swap)
> - st = bswap_64(st);
> -
> - st &= ASLR_SUPPORTED_SAMPLE_TYPE;
> + if (needs_swap) {
> + u64 st = bswap_64(event->attr.attr.sample_type);
>
> - if (needs_swap)
> - st = bswap_64(st);
> + st &= ASLR_SUPPORTED_SAMPLE_TYPE;
> + event->attr.attr.sample_type = bswap_64(st);
[Severity: High]
Does this code inadvertently corrupt the sample_type bitmask?
Since perf_session__process_user_event() calls event_swap(), which delegates
to perf_event__hdr_attr_swap(), the event->attr.attr structure is already
byte-swapped in-place to native endianness before the tool->attr() callback
is invoked.
Swapping it again here when needs_swap is true would corrupt the value before
applying the ASLR_SUPPORTED_SAMPLE_TYPE mask.
> + } else {
> + event->attr.attr.sample_type &= ASLR_SUPPORTED_SAMPLE_TYPE;
> + }
>
> - event->attr.attr.sample_type = st;
> + if (event->header.size >=
> + (offsetof(struct perf_record_header_attr, attr.sample_regs_user) + sizeof(u64)))
> + event->attr.attr.sample_regs_user = 0;
> + if (event->header.size >=
> + (offsetof(struct perf_record_header_attr, attr.sample_regs_intr) + sizeof(u64)))
> + event->attr.attr.sample_regs_intr = 0;
> }
>
> if (event->header.size >= (offsetof(struct perf_record_header_attr,
> attr.type) + sizeof(u32))) {
> - u32 type = event->attr.attr.type;
> -
> - if (needs_swap)
> - type = bswap_32(type);
> + u32 type = needs_swap ? bswap_32(event->attr.attr.type) : event->attr.attr.type;
[Severity: High]
Is it possible this logic bypasses ASLR scrubbing for cross-endian traces?
Because event->attr.attr.type was already swapped to native endianness prior to
this tool callback, calling bswap_32() here would cause the type ==
PERF_TYPE_BREAKPOINT check below to evaluate to false (e.g., native 5
becomes 0x05000000).
This would bypass the scrubbing of bp_addr, config1, and config2, potentially
leaking kernel ASLR addresses.
>
> if (type == PERF_TYPE_BREAKPOINT &&
> event->header.size >= (offsetof(struct perf_record_header_attr,
> - attr.bp_addr) + sizeof(u64))) {
> + attr.bp_addr) + sizeof(u64))) {
> event->attr.attr.bp_addr = 0;
> } else if (type >= PERF_TYPE_MAX) {
> struct perf_pmu *pmu;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260607060933.3274263-1-irogers@google.com?part=4
next prev parent reply other threads:[~2026-06-07 6:27 UTC|newest]
Thread overview: 152+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 22:05 [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-04-24 22:05 ` [PATCH v1 2/2] perf test: Add inject ASLR test Ian Rogers
2026-04-24 22:47 ` sashiko-bot
2026-04-24 22:36 ` [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses sashiko-bot
2026-04-25 2:05 ` [PATCH v2 " Ian Rogers
2026-04-25 2:05 ` [PATCH v2 2/2] perf test: Add inject ASLR test Ian Rogers
2026-05-04 3:51 ` [PATCH v3 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 3:51 ` [PATCH v3 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 3:51 ` [PATCH v3 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 3:51 ` [PATCH v3 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 4:51 ` sashiko-bot
2026-05-04 3:51 ` [PATCH v3 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 5:02 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 7:29 ` [PATCH v4 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 7:29 ` [PATCH v4 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 7:29 ` [PATCH v4 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 8:39 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 8:48 ` sashiko-bot
2026-05-04 8:23 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-06 0:45 ` [PATCH v5 0/5] " Ian Rogers
2026-05-06 0:45 ` [PATCH v5 1/5] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-06 13:22 ` Arnaldo Carvalho de Melo
2026-05-06 16:16 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 2/5] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-06 0:45 ` [PATCH v5 3/5] perf symbols: Fix map removal sequence inside dso__process_kernel_symbol() Ian Rogers
2026-05-06 1:45 ` sashiko-bot
2026-05-06 0:45 ` [PATCH v5 4/5] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-06 2:40 ` sashiko-bot
2026-05-06 18:52 ` Namhyung Kim
2026-05-06 20:01 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 5/5] perf test: Add inject ASLR test Ian Rogers
2026-05-07 15:58 ` James Clark
2026-05-07 16:17 ` Ian Rogers
2026-05-08 10:42 ` James Clark
2026-05-08 10:49 ` James Clark
2026-05-08 8:27 ` [PATCH v6 0/6] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-08 8:27 ` [PATCH v6 1/6] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-08 8:27 ` [PATCH v6 2/6] perf tool: Missing delegate_tool schedstat delegates and dont_split_sample_group Ian Rogers
2026-05-08 8:27 ` [PATCH v6 3/6] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-08 10:57 ` James Clark
2026-05-08 20:37 ` sashiko-bot
2026-05-11 7:07 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 4/6] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-08 21:22 ` sashiko-bot
2026-05-11 7:32 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 5/6] perf test: Add inject ASLR test Ian Rogers
2026-05-08 13:29 ` James Clark
2026-05-08 14:29 ` James Clark
2026-05-11 7:34 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 6/6] perf aslr: Strip sample registers Ian Rogers
2026-05-08 21:49 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 0/4] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-05-19 8:08 ` [PATCH v7 1/4] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-19 8:38 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 2/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-19 9:14 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 3/4] perf test: Add inject ASLR test Ian Rogers
2026-05-19 8:08 ` [PATCH v7 4/4] perf aslr: Strip sample registers Ian Rogers
2026-05-19 9:55 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 0/4] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-05-20 6:30 ` [PATCH v8 1/4] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-20 7:06 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 2/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-20 7:50 ` sashiko-bot
2026-05-23 14:44 ` kernel test robot
2026-05-20 6:30 ` [PATCH v8 3/4] perf test: Add inject ASLR test Ian Rogers
2026-05-20 8:02 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 4/4] perf aslr: Strip sample registers Ian Rogers
2026-05-20 8:41 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-04 17:28 ` [PATCH v9 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-04 17:46 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-04 17:40 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 6:06 ` [PATCH v10 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 6:20 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 6:06 ` [PATCH v10 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 6:30 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 6:13 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 18:52 ` [PATCH v11 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 18:52 ` [PATCH v11 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:06 ` sashiko-bot
2026-06-05 18:52 ` [PATCH v11 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 19:07 ` sashiko-bot
2026-06-05 18:52 ` [PATCH v11 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 18:52 ` [PATCH v11 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 18:52 ` [PATCH v11 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 19:24 ` [PATCH v12 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 19:24 ` [PATCH v12 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:24 ` [PATCH v12 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 19:38 ` sashiko-bot
2026-06-05 19:24 ` [PATCH v12 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 19:24 ` [PATCH v12 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 19:24 ` [PATCH v12 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 19:48 ` [PATCH v13 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 19:48 ` [PATCH v13 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:48 ` [PATCH v13 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 20:06 ` sashiko-bot
2026-06-05 19:48 ` [PATCH v13 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 19:48 ` [PATCH v13 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 19:48 ` [PATCH v13 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 20:04 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 20:56 ` [PATCH v14 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 20:56 ` [PATCH v14 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 21:12 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 23:17 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 21:05 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 7:21 ` [PATCH v15 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-06 7:21 ` [PATCH v15 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-06 7:21 ` [PATCH v15 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-06 7:38 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-06 7:36 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-06 7:31 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 7:38 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-06 15:14 ` [PATCH v16 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-06 15:14 ` [PATCH v16 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-06 15:31 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-06 15:30 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-06 15:14 ` [PATCH v16 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 15:33 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-07 6:09 ` [PATCH v17 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-07 6:09 ` [PATCH v17 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-07 8:27 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-07 6:27 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 4/5] perf aslr: Strip sample registers Ian Rogers
2026-06-07 6:27 ` sashiko-bot [this message]
2026-06-07 6:09 ` [PATCH v17 5/5] perf test: Add inject ASLR test Ian Rogers
2026-06-07 6:18 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260607062741.A4C421F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.