From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 20/23] perf bpf: Fix map data leak in bpf_metadata_create() on alloc failure
Date: Wed, 10 Jun 2026 20:12:28 +0000 [thread overview]
Message-ID: <20260610201229.6B73A1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260610195157.2091137-21-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Integer truncation of `event_size` causes a heap buffer overflow in `synthesize_perf_record_bpf_metadata()`.
--
commit a9860d8e0d78f30cfefe9a3589bea7fb77d053aa
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf bpf: Fix map data leak in bpf_metadata_create() on alloc failure
This patch fixes a memory leak in bpf_metadata_create() where map.btf
and map.rodata were leaked. It addresses this by calling
bpf_metadata_free_map_data() before continuing if bpf_metadata_alloc()
fails.
> diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
> index fe01551dc3e6c..b65ad28cd950f 100644
> --- a/tools/perf/util/bpf-event.c
> +++ b/tools/perf/util/bpf-event.c
> @@ -395,8 +395,10 @@ static struct bpf_metadata *bpf_metadata_create(struct bpf_prog_info *info)
> continue;
>
> metadata = bpf_metadata_alloc(info->nr_prog_tags, map.num_vars);
[Severity: High]
This is a pre-existing issue, but this allocation can lead to a heap buffer
overflow due to integer truncation.
In bpf_metadata_alloc(), the calculated event_size is stored into a __u16:
event_size = sizeof(metadata->event->bpf_metadata) +
nr_variables * sizeof(metadata->event->bpf_metadata.entries[0]);
...
metadata->event->bpf_metadata = (struct perf_record_bpf_metadata) {
.header = {
.type = PERF_RECORD_BPF_METADATA,
.size = event_size,
},
If a BPF program contains 204 or more .rodata variables prefixed with
"bpf_metadata_", event_size exceeds 65535 and silently truncates (e.g.,
65808 becomes 272).
Later, synthesize_perf_record_bpf_metadata() allocates a buffer using
this truncated size:
const size_t event_size = metadata->event->header.size;
...
event = zalloc(event_size + machine->id_hdr_size);
It then copies 512 bytes (BPF_PROG_NAME_LEN), overflowing the truncated
heap allocation:
memcpy(event->bpf_metadata.prog_name,
metadata->prog_names[index], BPF_PROG_NAME_LEN);
Could we add bounds checking for map.num_vars or validate event_size before
truncation?
> - if (!metadata)
> + if (!metadata) {
> + bpf_metadata_free_map_data(&map);
> continue;
> + }
>
> bpf_metadata_fill_event(&map, &metadata->event->bpf_metadata);
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610195157.2091137-1-acme@kernel.org?part=20
next prev parent reply other threads:[~2026-06-10 20:12 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 19:51 [PATCHES v1 00/23] perf tools: Fix OOB accesses, leaks, and missing bounds checks across pmu/symbols/bpf/hwmon Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 01/23] perf pmu: Fix pmu_id() heap underwrite on empty identifier file Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 02/23] perf pmu: Fix perf_pmu__parse_scale/unit() OOB access on empty sysfs file Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 03/23] tools lib api: Fix missing null termination in filename__read_int/ull() Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 04/23] perf symbols: Fix signed overflow in sysfs__read_build_id() size check Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 05/23] perf symbols: Bounds-check .gnu_debuglink section data Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 06/23] perf tools: Use mkostemp() for O_CLOEXEC on temporary files Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 07/23] perf intel-pt: Fix snprintf size tracking bug in insn decoder Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 08/23] perf tools: Fix thread__set_comm_from_proc() on empty comm file Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 09/23] perf hwmon: Fix off-by-one null termination on sysfs reads Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 10/23] perf hwmon: Use scnprintf() in hwmon_pmu__for_each_event() Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 11/23] perf hwmon: Fix parse_hwmon_filename() strlcpy buffer overflow Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 12/23] perf symbols: Bounds-check descsz in sysfs__read_build_id() GNU fallback Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 13/23] perf tools: Fix uninitialized pathname on uncompressed fallback in filename__decompress() Arnaldo Carvalho de Melo
2026-06-10 20:08 ` sashiko-bot
2026-06-10 21:52 ` Arnaldo Carvalho de Melo
2026-06-10 22:16 ` Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 14/23] perf hwmon: Guard label read against empty or failed reads Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 15/23] perf pmu: Use scnprintf() in format_alias() Arnaldo Carvalho de Melo
2026-06-10 20:05 ` sashiko-bot
2026-06-10 19:51 ` [PATCH 16/23] perf tools: Use snprintf() in dso__read_running_kernel_build_id() Arnaldo Carvalho de Melo
2026-06-10 20:10 ` sashiko-bot
2026-06-10 19:51 ` [PATCH 17/23] tools lib api: Fix filename__write_int() writing uninitialized stack data Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 18/23] tools lib api: Fix mount_overload() snprintf truncation and toupper range Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 19/23] perf bpf: Add NULL check for btf__type_by_id() in synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
2026-06-10 20:14 ` sashiko-bot
2026-06-10 19:51 ` [PATCH 20/23] perf bpf: Fix map data leak in bpf_metadata_create() on alloc failure Arnaldo Carvalho de Melo
2026-06-10 20:12 ` sashiko-bot [this message]
2026-06-10 19:51 ` [PATCH 21/23] perf bpf: Fix metadata leak in perf_env__add_bpf_info() on duplicate insert Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 22/23] perf symbols: Add bounds checks to elf_read_build_id() note iteration Arnaldo Carvalho de Melo
2026-06-10 19:51 ` [PATCH 23/23] perf symbols: Add bounds checks to read_build_id() note iteration in minimal build Arnaldo Carvalho de Melo
2026-06-10 20:15 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610201229.6B73A1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.