From: sashiko-bot@kernel.org
To: "James Clark" <james.clark@linaro.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v4 12/19] perf test cs-etm: Skip if not root
Date: Tue, 09 Jun 2026 14:53:01 +0000 [thread overview]
Message-ID: <20260609145301.D5E931F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260609-james-cs-context-tracking-fix-v4-12-44f9fb9e5c42@linaro.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Medium] A Time-of-Check to Time-of-Use (TOCTOU) race condition exists due to an unsafe temporary file deletion and recreation pattern, allowing local attackers to modify arbitrary file timestamps or create empty files as root.
--
commit a4b1e28698440010ef2bccdf78c5fee8d8a1850d
Author: James Clark <james.clark@linaro.org>
perf test cs-etm: Skip if not root
This commit adds a root privilege check to the Arm CoreSight trace tests.
It ensures the tests are skipped gracefully with a clear message if the
user running them is not root, as root access is required for certain
testing modes.
> diff --git a/tools/perf/tests/shell/test_arm_coresight.sh b/tools/perf/tests/shell/test_arm_coresight.sh
> index 39553702c1f31..8ed2c934c87d0 100755
> --- a/tools/perf/tests/shell/test_arm_coresight.sh
> +++ b/tools/perf/tests/shell/test_arm_coresight.sh
> @@ -20,6 +20,12 @@ skip_if_no_cs_etm_event() {
>
> skip_if_no_cs_etm_event || exit 2
>
> +if [ "$(id -u)" != 0 ]; then
> + # Requires root for -C and system wide tests
> + echo "[Skip] No root permission"
> + exit 2
> +fi
> +
[Severity: Medium]
This is a pre-existing issue, but by enforcing that this script must run
as root, does this turn an existing race condition into a local privilege
escalation or denial-of-service vector?
Can we fix the temporary file handling here? Currently, the script securely
creates a temporary file but later deletes and recreates it:
tools/perf/tests/shell/test_arm_coresight.sh:record_touch_file() {
...
rm -f $file
perf record -o ${perfdata} -e cs_etm/@$1/u --per-thread \
-- taskset -c $2 touch $file > /dev/null 2>&1
}
Since the file is securely created in the world-writable /tmp directory via
mktemp, the rm -f frees the predictable name. An attacker monitoring /tmp
can race to create a symlink at this path after the deletion but before the
root user executes touch.
Would this allow an attacker to modify arbitrary file timestamps or create
empty files as root?
> perfdata=$(mktemp /tmp/__perf_test.perf.data.XXXXX)
> file=$(mktemp /tmp/temporary_file.XXXXX)
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-james-cs-context-tracking-fix-v4-0-44f9fb9e5c42@linaro.org?part=12
next prev parent reply other threads:[~2026-06-09 14:53 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 14:30 [PATCH v4 00/19] perf cs-etm: Queue context packets for frontend James Clark
2026-06-09 14:30 ` [PATCH v4 01/19] " James Clark
2026-06-09 14:46 ` sashiko-bot
2026-06-09 14:30 ` [PATCH v4 02/19] perf test: Add workload-ctl option James Clark
2026-06-09 14:40 ` sashiko-bot
2026-06-10 9:51 ` James Clark
2026-06-09 14:30 ` [PATCH v4 03/19] perf test: Add a workload that forces context switches James Clark
2026-06-09 14:30 ` [PATCH v4 04/19] perf test cs-etm: Test process attribution James Clark
2026-06-09 14:41 ` sashiko-bot
2026-06-10 9:51 ` James Clark
2026-06-09 14:30 ` [PATCH v4 05/19] perf test: Add deterministic workload James Clark
2026-06-09 14:30 ` [PATCH v4 06/19] perf test cs-etm: Replace unroll loop thread with deterministic decode test James Clark
2026-06-09 14:52 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 07/19] perf test cs-etm: Remove asm_pure_loop test James Clark
2026-06-09 14:53 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 08/19] perf test cs-etm: Replace memcpy test with raw dump stress test James Clark
2026-06-09 14:31 ` [PATCH v4 09/19] perf test: Add named_threads workload James Clark
2026-06-09 14:50 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 10/19] perf test cs-etm: Test decoding for concurrent threads test James Clark
2026-06-09 14:31 ` [PATCH v4 11/19] perf test cs-etm: Remove duplicate branch tests James Clark
2026-06-09 14:31 ` [PATCH v4 12/19] perf test cs-etm: Skip if not root James Clark
2026-06-09 14:53 ` sashiko-bot [this message]
2026-06-09 14:31 ` [PATCH v4 13/19] perf test cs-etm: Reduce snapshot size James Clark
2026-06-09 14:31 ` [PATCH v4 14/19] perf test cs-etm: Speed up basic test James Clark
2026-06-09 14:31 ` [PATCH v4 15/19] perf test cs-etm: Remove unused Coresight workloads James Clark
2026-06-09 14:31 ` [PATCH v4 16/19] perf test cs-etm: Make disassembly test use kcore James Clark
2026-06-09 14:31 ` [PATCH v4 17/19] perf test cs-etm: Add all branch instructions to test James Clark
2026-06-09 14:31 ` [PATCH v4 18/19] perf test cs-etm: Speed up disassembly test James Clark
2026-06-09 15:06 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 19/19] perf test cs-etm: Move existing tests to coresight folder James Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609145301.D5E931F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=james.clark@linaro.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.