From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 09/11] perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name()
Date: Sun, 07 Jun 2026 23:46:25 +0000 [thread overview]
Message-ID: <20260607234626.418F51F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260607232925.1935819-10-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Buffer overflow in `hwmon_pmu__for_each_event` due to unsafe `snprintf` accumulation.
- [Critical] Buffer overflow in `perf_pmu__for_each_event` due to unsafe `snprintf` accumulation.
- [Medium] Missing validation for `btf__type_by_id()` return value in `synthesize_bpf_prog_name` leads to a NULL pointer dereference.
- [Medium] Missing bounds checking when accessing BPF function info and program tags allows out-of-bounds memory reads.
- [Medium] Leaked `map.btf` and `map.rodata` in `bpf_metadata_create()` on error path.
- [Medium] Leaked `info_node->metadata` when `perf_env__insert_bpf_prog_info` fails in `perf_env__add_bpf_info()`.
--
commit 36b9c4933bfd61cb63ed28852ac600bdb93eebb7
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name()
This commit fixes buffer overflows by switching from snprintf() to scnprintf()
when accumulating formatted strings. This prevents writing past the end of
the buffer if truncation previously occurred.
> diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
> index a27945c279efb..2c09842469f1f 100644
> --- a/tools/perf/util/bpf-event.c
> +++ b/tools/perf/util/bpf-event.c
[ ... ]
> @@ -140,7 +140,7 @@ static int synthesize_bpf_prog_name(char *buf, int size,
> const struct btf_type *t;
> int name_len;
>
> - name_len = snprintf(buf, size, "bpf_prog_");
> + name_len = scnprintf(buf, size, "bpf_prog_");
> name_len += snprintf_hex(buf + name_len, size - name_len,
> prog_tags[sub_id], BPF_TAG_SIZE);
> if (btf) {
While reviewing this function, I noticed a couple of pre-existing issues
just below this diff hunk:
tools/perf/util/bpf-event.c:synthesize_bpf_prog_name() {
if (btf) {
finfo = func_infos + sub_id * info->func_info_rec_size;
t = btf__type_by_id(btf, finfo->type_id);
short_name = btf__name_by_offset(btf, t->name_off);
...
[Severity: Medium]
This isn't a bug introduced by this patch, but does calculating the finfo
pointer using the unvalidated info->func_info_rec_size from the untrusted
perf.data file allow out-of-bounds memory reads?
[Severity: Medium]
This is a pre-existing issue, but btf__type_by_id() can return NULL if
finfo->type_id is invalid or out of bounds. Will accessing t->name_off
immediately after cause a NULL pointer dereference here?
Additionally, I noticed a few other pre-existing issues in the perf tools
codebase during this review:
tools/perf/util/bpf-event.c:bpf_metadata_create() {
...
metadata = bpf_metadata_alloc(info->nr_prog_tags, map.num_vars);
if (!metadata)
continue;
...
[Severity: Medium]
This isn't a bug introduced by this patch, but does this error path
permanently leak the memory allocated for map.btf and map.rodata by
skipping the bpf_metadata_free_map_data() cleanup?
tools/perf/util/bpf-event.c:perf_env__add_bpf_info() {
...
if (!perf_env__insert_bpf_prog_info(env, info_node)) {
pr_debug("%s: duplicate add bpf info request for id %u\n",
__func__, btf_id);
free(info_linear);
free(info_node);
goto out;
}
...
[Severity: Medium]
This is a pre-existing issue, but does freeing info_node here without freeing
info_node->metadata leak the dynamically allocated metadata?
tools/perf/util/hwmon_pmu.c:hwmon_pmu__for_each_event() {
...
len += hwmon_pmu__describe_items(hwm, desc_buf + len, sizeof(desc_buf) - len,
key, value->items, /*is_alarm=*/false);
...
[Severity: Critical]
This isn't a bug introduced by this patch, but it is a similar issue to the
ones being fixed.
Does accumulating the length from snprintf() without checking for truncation
cause sizeof(desc_buf) - len to wrap to a huge value, leading to a stack
buffer overflow in subsequent calls?
Note that this issue was not fixed by the later patches in the series.
tools/perf/util/pmu.c:perf_pmu__for_each_event() {
...
buf_used += snprintf(buf + buf_used, sizeof(buf) - buf_used,
"%.*s/%s/", (int)pmu_name_len, info.pmu_name, event->terms) + 1;
...
[Severity: Critical]
This is a pre-existing issue, but does accumulating the return value of
snprintf() into buf_used risk truncation wrapping?
If buf_used exceeds sizeof(buf), sizeof(buf) - buf_used underflows, leading
to a stack buffer overflow on the next write.
Note that this issue was also not fixed by the later patches in the series.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260607232925.1935819-1-acme@kernel.org?part=9
next prev parent reply other threads:[~2026-06-07 23:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-07 23:29 [PATCHES v1 00/11] perf tools: Assorted fixes Arnaldo Carvalho de Melo
2026-06-07 23:29 ` [PATCH 01/11] perf tools: Fix get_max_num() size_t underflow on empty sysfs file Arnaldo Carvalho de Melo
2026-06-07 23:45 ` sashiko-bot
2026-06-07 23:29 ` [PATCH 02/11] perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflow Arnaldo Carvalho de Melo
2026-06-07 23:29 ` [PATCH 03/11] perf tools: Use perf_env__get_cpu_topology() in machine__resolve() Arnaldo Carvalho de Melo
2026-06-07 23:29 ` [PATCH 04/11] perf mmap: Fix mbind() maxnode vs bitmap allocation mismatch in aio_bind Arnaldo Carvalho de Melo
2026-06-07 23:29 ` [PATCH 05/11] perf tools: NULL bitmap pointers after bitmap_free() Arnaldo Carvalho de Melo
2026-06-07 23:29 ` [PATCH 06/11] perf sched: Bounds-check prio before test_bit() in timehist Arnaldo Carvalho de Melo
2026-06-07 23:42 ` sashiko-bot
2026-06-07 23:29 ` [PATCH 07/11] perf sched: Fix idle-hist callchain display using wrong rb_first variant Arnaldo Carvalho de Melo
2026-06-07 23:29 ` [PATCH 08/11] perf tools: Add O_CLOEXEC to open() calls in DSO and ELF code Arnaldo Carvalho de Melo
2026-06-07 23:42 ` sashiko-bot
2026-06-07 23:29 ` [PATCH 09/11] perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
2026-06-07 23:46 ` sashiko-bot [this message]
2026-06-07 23:29 ` [PATCH 10/11] perf hists: Fix snprintf() in hists__scnprintf_title() UID filter path Arnaldo Carvalho de Melo
2026-06-07 23:47 ` sashiko-bot
2026-06-07 23:29 ` [PATCH 11/11] perf tools: Use scnprintf() in build_id__snprintf() and hwmon read_events() Arnaldo Carvalho de Melo
2026-06-07 23:49 ` sashiko-bot
-- strict thread matches above, loose matches on Subject: below --
2026-06-08 1:30 [PATCHES v2 00/11] perf tools: Assorted fixes Arnaldo Carvalho de Melo
2026-06-08 1:30 ` [PATCH 09/11] perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260607234626.418F51F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.