From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 15/15] perf cs-etm: Reject CPU IDs that would overflow signed comparison
Date: Fri, 12 Jun 2026 01:00:21 +0000 [thread overview]
Message-ID: <20260612010021.ADFF21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612003444.50723-16-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [Medium] The new bounds check allows `INT_MAX`, resulting in undefined behavior via signed integer overflow when calculating `max_cpu + 1`.
Pre-existing issues:
- [Critical] The calculation `sizeof(*metadata) * num_cpu` wraps around on 32-bit architectures, leading to a zero-sized allocation and massive out-of-bounds heap write.
- [High] Global metadata attributes are accessed from the event payload before verifying that the event buffer is large enough.
- [High] Unvalidated `sample.cpu` index leads to an out-of-bounds array access in `cs_etm__get_queue()` when triggered by `PERF_RECORD_AUX_OUTPUT_HW_ID` events.
--
commit bc723e7a90a3b64c38ed57e3f771d57c18e1dc9d
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf cs-etm: Reject CPU IDs that would overflow signed comparison
This commit fixes an out-of-bounds access in
cs_etm__process_auxtrace_info_full() caused by a cast from u64 to int. It
adds a validation check to ensure the CPU ID fits within an int before
performing a signed comparison against max_cpu.
Cc: James Clark <james.clark@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/finding/2
> diff --git a/tools/perf/util/cs-etm.c b/tools/perf/util/cs-etm.c
> index 5e92359f51a7c..d8876b8362056 100644
> --- a/tools/perf/util/cs-etm.c
> +++ b/tools/perf/util/cs-etm.c
> @@ -6,6 +6,7 @@
> * Author: Mathieu Poirier <mathieu.poirier@linaro.org>
> */
>
> +#include <limits.h>
> #include <linux/bitfield.h>
> #include <linux/bitops.h>
> #include <linux/coresight-pmu.h>
[ ... ]
> @@ -3468,7 +3469,13 @@ int cs_etm__process_auxtrace_info_full(union perf_event *event,
> goto err_free_metadata;
> }
>
> - if ((int) metadata[j][CS_ETM_CPU] > max_cpu)
> + /* CPU id comes from perf.data and must be a valid index */
> + if (metadata[j][CS_ETM_CPU] > INT_MAX) {
> + err = -EINVAL;
> + goto err_free_metadata;
> + }
[Severity: Medium]
Does this upper bound check still allow max_cpu to become INT_MAX?
If the trace provides exactly INT_MAX, max_cpu is set to INT_MAX. Later in
cs_etm__process_auxtrace_info_full(), it calls:
err = auxtrace_queues__init_nr(&etm->queues, max_cpu + 1);
Will computing INT_MAX + 1 cause a signed integer overflow?
[Severity: Critical]
This is a pre-existing issue, but I noticed a potential calculation overflow
earlier in cs_etm__process_auxtrace_info_full():
num_cpu = ptr[CS_PMU_TYPE_CPUS] & 0xffffffff;
metadata = zalloc(sizeof(*metadata) * num_cpu);
On 32-bit platforms, could a crafted num_cpu (e.g., 1073741825) cause the
multiplication to wrap around to 4? If zalloc() succeeds with a tiny buffer,
wouldn't the subsequent loop:
for (int j = 0; j < num_cpu; j++) {
...
metadata[j] = cs_etm__create_meta_blk(...);
continuously write out-of-bounds into the undersized allocation?
[Severity: High]
This is a pre-existing issue, but is it possible to read past the end of the
event payload before its size is fully validated?
In cs_etm__process_auxtrace_info_full():
ptr = (u64 *) auxtrace_info->priv;
num_cpu = ptr[CS_PMU_TYPE_CPUS] & 0xffffffff;
Since the initial perf_record_auxtrace_info size check only guarantees
16 bytes, and priv[] starts at offset 16, accessing ptr[CS_PMU_TYPE_CPUS]
reads from offset 24.
Could this access unmapped memory if the event is truncated?
[Severity: High]
This is a pre-existing issue, but is there an unvalidated index used for
queue array lookups?
When processing PERF_RECORD_AUX_OUTPUT_HW_ID events, sample.cpu is parsed
directly from the payload. It gets passed down the call chain:
cs_etm__process_aux_output_hw_id()
cs_etm__process_trace_id_v0_1()
cs_etm__get_queue()
Inside cs_etm__get_queue():
return etm->queues.queue_array[cpu].priv;
Since cpu comes directly from the trace data, could an arbitrarily large or
negative value cause an out-of-bounds read if it exceeds nr_queues?
> +
> + if ((int)metadata[j][CS_ETM_CPU] > max_cpu)
> max_cpu = metadata[j][CS_ETM_CPU];
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612003444.50723-1-acme@kernel.org?part=15
prev parent reply other threads:[~2026-06-12 1:00 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 0:34 [PATCHES v1 00/15] perf tools: Fix pre-existing bugs in symbols, dso, bpf, sched, c2c, hwmon, and cs-etm Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 01/15] perf symbols: Fix bswap copy-paste error for 32-bit ELF p_filesz Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 02/15] perf symbols: Validate p_filesz before use in filename__read_build_id() Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 03/15] perf symbols: Use fixed buffer in sysfs__read_build_id() for no-libelf build Arnaldo Carvalho de Melo
2026-06-12 0:47 ` sashiko-bot
2026-06-12 0:34 ` [PATCH 04/15] perf symbols: Break infinite loop on zero-filled notes in sysfs__read_build_id() Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 05/15] perf dso: Fix heap overflow in dso__get_filename() on decompressed path Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 06/15] perf dso: Set error code when open() fails on uncompressed fallback path Arnaldo Carvalho de Melo
2026-06-12 0:54 ` sashiko-bot
2026-06-12 0:34 ` [PATCH 07/15] perf tools: Use snprintf() for root_dir path construction Arnaldo Carvalho de Melo
2026-06-12 2:54 ` sashiko-bot
2026-06-12 0:34 ` [PATCH 08/15] perf hwmon: Fix fd check to accept fd 0 in hwmon_pmu__describe_items() Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 09/15] perf sched: Replace (void*)1 sentinel with proper runtime allocation Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 10/15] perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
2026-06-12 0:52 ` sashiko-bot
2026-06-12 0:34 ` [PATCH 11/15] perf bpf: Reject oversized BPF metadata events that truncate header.size Arnaldo Carvalho de Melo
2026-06-12 0:34 ` [PATCH 12/15] perf bpf: Bounds-check array offsets in bpil_offs_to_addr() Arnaldo Carvalho de Melo
2026-06-12 0:51 ` sashiko-bot
2026-06-12 0:34 ` [PATCH 13/15] perf c2c: Free format list entries when releasing c2c hist entries Arnaldo Carvalho de Melo
2026-06-12 0:58 ` sashiko-bot
2026-06-12 0:34 ` [PATCH 14/15] perf symbols: Add O_NONBLOCK to DSO open() calls for untrusted paths Arnaldo Carvalho de Melo
2026-06-12 4:57 ` sashiko-bot
2026-06-12 5:52 ` Ian Rogers
2026-06-12 0:34 ` [PATCH 15/15] perf cs-etm: Reject CPU IDs that would overflow signed comparison Arnaldo Carvalho de Melo
2026-06-12 1:00 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612010021.ADFF21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.