From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v17 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking
Date: Sun, 07 Jun 2026 08:27:33 +0000 [thread overview]
Message-ID: <20260607082734.3BE7A1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260607060933.3274263-3-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Modifying memory-mapped read-only event buffers in place causes a segmentation fault.
- [High] Inconsistent handling of `(start - map__start(al.map))` for user space mappings leads to corrupted virtual address calculations.
- [High] KSYMBOL unregister events are emitted with an incorrect, newly allocated address instead of the original remapped address.
--
commit c190853279a63eb364ce133684668cb85c64d5e1
Author: Ian Rogers <irogers@google.com>
perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking
If perf.data files are taken from one machine to another they may
leak virtual addresses and so weaken ASLR on the machine they are
coming from. Add an aslr option for perf inject that remaps all
virtual addresses, or drops data/events, so that the virtual address
information isn't leaked.
> diff --git a/tools/perf/util/aslr.c b/tools/perf/util/aslr.c
> new file mode 100644
> index 0000000000000..2c5fafbe5d846
> --- /dev/null
> +++ b/tools/perf/util/aslr.c
[ ... ]
> +static u64 aslr_tool__findnew_mapping(struct aslr_tool *aslr,
> + struct machine *session_machine,
> + struct thread *aslr_thread,
> + u8 cpumode, u64 start,
> + u64 len, u64 pgoff)
> +{
[ ... ]
> + if (cpumode == PERF_RECORD_MISC_KERNEL ||
> + cpumode == PERF_RECORD_MISC_GUEST_KERNEL) {
> + if (al.map) {
> + *new_remap_val = remap_addr -
> + (start - map__start(al.map)) -
> + map__pgoff(al.map);
> + } else {
> + /*
> + * Subtract pgoff from the base virtual address so that
> + * when the lookup path adds pgoff back, it perfectly
> + * cancels out and returns remap_addr.
> + */
> + *new_remap_val = remap_addr - pgoff;
> + }
> + } else {
> + *new_remap_val = remap_addr - (al.map ? map__pgoff(al.map) : pgoff);
[Severity: High]
Is there a missing subtraction of (start - map__start(al.map)) for the user
space mapping here?
The kernel space path just above subtracts it. If perf merges adjacent VMAs,
start might not equal map__start(al.map), which could result in returning an
address inflated by that difference on subsequent lookups and corrupting
the virtual address calculations.
> + }
> + err = hashmap__add(&aslr->remap_addresses, new_remap_key, new_remap_val);
[ ... ]
> +static int aslr_tool__process_ksymbol(const struct perf_tool *tool,
> + union perf_event *event,
> + struct perf_sample *sample,
> + struct machine *machine)
> +{
[ ... ]
> + err = perf_event__process_ksymbol(tool, event, sample, aslr_machine);
> + if (err)
> + return err;
> +
> + thread = machine__findnew_thread(aslr_machine, kernel_pid, 0);
> + if (!thread)
> + return -ENOMEM;
> + memcpy(&new_event->ksymbol, &event->ksymbol, event->ksymbol.header.size);
> + /* Remaps the ksymbol.start */
> + new_event->ksymbol.addr = aslr_tool__findnew_mapping(aslr, machine, thread,
[Severity: High]
For KSYMBOL unregister events, does calling perf_event__process_ksymbol()
earlier in this function delete the map from aslr_machine->kmaps before we can
look it up here?
If the map is deleted beforehand, aslr_tool__findnew_mapping() might fail to
find the original map, fall back to generating a new unmapped key, and emit
a mismatched remapped address instead of the original one.
> + PERF_RECORD_MISC_KERNEL,
> + event->ksymbol.addr,
> + event->ksymbol.len,
> + /*pgoff=*/0);
[ ... ]
> +void aslr_tool__strip_attr_event(union perf_event *event, struct evlist **pevlist)
> +{
[ ... ]
> + if (event->header.size >= (offsetof(struct perf_record_header_attr,
> + attr.sample_type) + sizeof(u64))) {
> + u64 st = event->attr.attr.sample_type;
> +
> + if (needs_swap)
> + st = bswap_64(st);
> +
> + st &= ASLR_SUPPORTED_SAMPLE_TYPE;
> +
> + if (needs_swap)
> + st = bswap_64(st);
> +
> + event->attr.attr.sample_type = st;
[Severity: High]
Does this code modify the event payload in place?
When processing a native-endian perf.data file, perf memory-maps the file's
data section with PROT_READ. If a PERF_RECORD_HEADER_ATTR event is located
in this read-only mapped data section, could writing directly to
event->attr.attr.sample_type trigger a segmentation fault?
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260607060933.3274263-1-irogers@google.com?part=2
next prev parent reply other threads:[~2026-06-07 8:27 UTC|newest]
Thread overview: 152+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 22:05 [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-04-24 22:05 ` [PATCH v1 2/2] perf test: Add inject ASLR test Ian Rogers
2026-04-24 22:47 ` sashiko-bot
2026-04-24 22:36 ` [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses sashiko-bot
2026-04-25 2:05 ` [PATCH v2 " Ian Rogers
2026-04-25 2:05 ` [PATCH v2 2/2] perf test: Add inject ASLR test Ian Rogers
2026-05-04 3:51 ` [PATCH v3 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 3:51 ` [PATCH v3 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 3:51 ` [PATCH v3 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 3:51 ` [PATCH v3 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 4:51 ` sashiko-bot
2026-05-04 3:51 ` [PATCH v3 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 5:02 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 7:29 ` [PATCH v4 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 7:29 ` [PATCH v4 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 7:29 ` [PATCH v4 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 8:39 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 8:48 ` sashiko-bot
2026-05-04 8:23 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-06 0:45 ` [PATCH v5 0/5] " Ian Rogers
2026-05-06 0:45 ` [PATCH v5 1/5] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-06 13:22 ` Arnaldo Carvalho de Melo
2026-05-06 16:16 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 2/5] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-06 0:45 ` [PATCH v5 3/5] perf symbols: Fix map removal sequence inside dso__process_kernel_symbol() Ian Rogers
2026-05-06 1:45 ` sashiko-bot
2026-05-06 0:45 ` [PATCH v5 4/5] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-06 2:40 ` sashiko-bot
2026-05-06 18:52 ` Namhyung Kim
2026-05-06 20:01 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 5/5] perf test: Add inject ASLR test Ian Rogers
2026-05-07 15:58 ` James Clark
2026-05-07 16:17 ` Ian Rogers
2026-05-08 10:42 ` James Clark
2026-05-08 10:49 ` James Clark
2026-05-08 8:27 ` [PATCH v6 0/6] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-08 8:27 ` [PATCH v6 1/6] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-08 8:27 ` [PATCH v6 2/6] perf tool: Missing delegate_tool schedstat delegates and dont_split_sample_group Ian Rogers
2026-05-08 8:27 ` [PATCH v6 3/6] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-08 10:57 ` James Clark
2026-05-08 20:37 ` sashiko-bot
2026-05-11 7:07 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 4/6] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-08 21:22 ` sashiko-bot
2026-05-11 7:32 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 5/6] perf test: Add inject ASLR test Ian Rogers
2026-05-08 13:29 ` James Clark
2026-05-08 14:29 ` James Clark
2026-05-11 7:34 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 6/6] perf aslr: Strip sample registers Ian Rogers
2026-05-08 21:49 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 0/4] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-05-19 8:08 ` [PATCH v7 1/4] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-19 8:38 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 2/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-19 9:14 ` sashiko-bot
2026-05-19 8:08 ` [PATCH v7 3/4] perf test: Add inject ASLR test Ian Rogers
2026-05-19 8:08 ` [PATCH v7 4/4] perf aslr: Strip sample registers Ian Rogers
2026-05-19 9:55 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 0/4] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-05-20 6:30 ` [PATCH v8 1/4] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-20 7:06 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 2/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-20 7:50 ` sashiko-bot
2026-05-23 14:44 ` kernel test robot
2026-05-20 6:30 ` [PATCH v8 3/4] perf test: Add inject ASLR test Ian Rogers
2026-05-20 8:02 ` sashiko-bot
2026-05-20 6:30 ` [PATCH v8 4/4] perf aslr: Strip sample registers Ian Rogers
2026-05-20 8:41 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-04 17:28 ` [PATCH v9 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-04 17:46 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-04 17:40 ` sashiko-bot
2026-06-04 17:28 ` [PATCH v9 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-04 17:45 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 6:06 ` [PATCH v10 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 6:20 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 6:06 ` [PATCH v10 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 6:30 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 6:13 ` sashiko-bot
2026-06-05 6:06 ` [PATCH v10 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 18:52 ` [PATCH v11 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 18:52 ` [PATCH v11 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:06 ` sashiko-bot
2026-06-05 18:52 ` [PATCH v11 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 19:07 ` sashiko-bot
2026-06-05 18:52 ` [PATCH v11 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 18:52 ` [PATCH v11 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 18:52 ` [PATCH v11 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 19:24 ` [PATCH v12 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 19:24 ` [PATCH v12 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:24 ` [PATCH v12 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 19:38 ` sashiko-bot
2026-06-05 19:24 ` [PATCH v12 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 19:24 ` [PATCH v12 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 19:24 ` [PATCH v12 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 19:48 ` [PATCH v13 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 19:48 ` [PATCH v13 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 19:48 ` [PATCH v13 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 20:06 ` sashiko-bot
2026-06-05 19:48 ` [PATCH v13 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 19:48 ` [PATCH v13 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 19:48 ` [PATCH v13 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-05 20:04 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-05 20:56 ` [PATCH v14 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-05 20:56 ` [PATCH v14 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-05 21:12 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-05 23:17 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-05 21:05 ` sashiko-bot
2026-06-05 20:56 ` [PATCH v14 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 7:21 ` [PATCH v15 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-06 7:21 ` [PATCH v15 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-06 7:21 ` [PATCH v15 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-06 7:38 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-06 7:36 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-06 7:31 ` sashiko-bot
2026-06-06 7:21 ` [PATCH v15 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 7:38 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-06 15:14 ` [PATCH v16 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-06 15:14 ` [PATCH v16 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-06 15:31 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-06 15:30 ` sashiko-bot
2026-06-06 15:14 ` [PATCH v16 4/5] perf test: Add inject ASLR test Ian Rogers
2026-06-06 15:14 ` [PATCH v16 5/5] perf aslr: Strip sample registers Ian Rogers
2026-06-06 15:33 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 0/5] perf tools: Add inject --aslr feature, early maps loading, and decoupling fixes Ian Rogers
2026-06-07 6:09 ` [PATCH v17 1/5] perf maps: Add maps__mutate_mapping Ian Rogers
2026-06-07 6:09 ` [PATCH v17 2/5] perf inject/aslr: Add ASLR tool infrastructure and MMAP tracking Ian Rogers
2026-06-07 8:27 ` sashiko-bot [this message]
2026-06-07 6:09 ` [PATCH v17 3/5] perf inject/aslr: Implement sample address remapping Ian Rogers
2026-06-07 6:27 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 4/5] perf aslr: Strip sample registers Ian Rogers
2026-06-07 6:27 ` sashiko-bot
2026-06-07 6:09 ` [PATCH v17 5/5] perf test: Add inject ASLR test Ian Rogers
2026-06-07 6:18 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260607082734.3BE7A1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.