From: sashiko-bot@kernel.org
To: "Dapeng Mi" <dapeng1.mi@linux.intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [Patch v3 4/8] perf/x86/intel: Fix kernel address leakages in LBR stack
Date: Fri, 12 Jun 2026 09:18:41 +0000 [thread overview]
Message-ID: <20260612091842.8E8AB1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612090114.3188886-5-dapeng1.mi@linux.intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing Privilege Escalation/Leakage Fix in AMD LBR
--
commit c04d9132d61b165193dd28c5a358e42d3c52a350
Author: Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Fix kernel address leakages in LBR stack
This commit fixes a kernel address leakage in the Intel LBR stack when
PERF_SAMPLE_BRANCH_USER is requested. The intel_pmu_lbr_filter function
previously only validated the privilege level of the "to" address, leaving
kernel "from" addresses exposed on SYSRET/ERET branches. The fix extends
software filtering to validate both addresses against the requested filter.
Cc: stable@vger.kernel.org
Reported-by: Ian Rogers <irogers@google.com>
Fixes: 47125db27e47 ("perf/x86/intel/lbr: Support Architectural LBR")
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
> diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
> index e2657f791e507..16eef15378166 100644
> --- a/arch/x86/events/intel/lbr.c
> +++ b/arch/x86/events/intel/lbr.c
[ ... ]
> @@ -1244,8 +1244,14 @@ intel_pmu_lbr_filter(struct cpu_hw_events *cpuc)
> type |= X86_BR_NO_TX;
> }
>
> - /* if type does not correspond, then discard */
> - if (type == X86_BR_NONE || (br_sel & type) != type) {
> + from_plm = kernel_ip(from) ? X86_BR_KERNEL : X86_BR_USER;
> + /*
> + * If type does not correspond, then discard.
> + * Specifically reject entries whose from address is in
> + * kernel space when only X86_BR_USER is requested.
> + */
> + if (type == X86_BR_NONE || (br_sel & type) != type ||
> + (!(br_sel & X86_BR_KERNEL) && (from_plm & X86_BR_KERNEL))) {
[Severity: High]
This isn't a bug introduced by this patch, but does the exact same kernel
address leakage vulnerability exist in AMD's LBR implementation and remain
unpatched?
Looking at amd_pmu_lbr_filter() in arch/x86/events/amd/lbr.c, it relies on
branch_type_fused() to determine the branch type. For kernel-to-user branches
(like SYSRET), it evaluates the privilege purely based on the target (to)
address and returns X86_BR_SYSRET | X86_BR_USER.
When user-only branches are requested, br_sel includes X86_BR_USER and
X86_BR_ANY. Because AMD hardware will record kernel-to-user branches when
filtering by "ending in CPL > 0", the check in amd_pmu_lbr_filter():
if (type == X86_BR_NONE || (br_sel & type) != type) {
cpuc->lbr_entries[i].from = 0;
compress = true;
}
evaluates to false since type is fully satisfied by br_sel. This allows the
branch to bypass the software filter and leaks the kernel from addresses to
unprivileged users.
Should a similar from_plm validation check be added to amd_pmu_lbr_filter()
to prevent KASLR bypass on AMD systems?
> cpuc->lbr_entries[i].from = 0;
> compress = true;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612090114.3188886-1-dapeng1.mi@linux.intel.com?part=4
next prev parent reply other threads:[~2026-06-12 9:18 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 9:01 [Patch v3 0/8] perf/x86: Miscellaneous PMU bug fixes Dapeng Mi
2026-06-12 9:01 ` [Patch v3 1/8] perf/x86/intel: Remove anythread_deprecated bit from perf_capabilities Dapeng Mi
2026-06-12 9:46 ` Peter Zijlstra
2026-06-15 0:59 ` Mi, Dapeng
2026-06-15 3:28 ` Mi, Dapeng
2026-06-12 9:01 ` [Patch v3 2/8] perf/x86/intel: Keep cap_user_rdpmc in sync with RDPMC user-disable state Dapeng Mi
2026-06-12 9:01 ` [Patch v3 3/8] perf/x86/intel: Fallback to sw branch type decoding if no hw decoding Dapeng Mi
2026-06-12 9:21 ` sashiko-bot
2026-06-15 1:00 ` Mi, Dapeng
2026-06-15 1:03 ` Mi, Dapeng
2026-06-12 9:01 ` [Patch v3 4/8] perf/x86/intel: Fix kernel address leakages in LBR stack Dapeng Mi
2026-06-12 9:18 ` sashiko-bot [this message]
2026-06-15 1:01 ` Mi, Dapeng
2026-06-12 9:01 ` [Patch v3 5/8] perf/x86/intel: Validate the return value of intel_pmu_init_hybrid() Dapeng Mi
2026-06-12 9:31 ` sashiko-bot
2026-06-15 1:08 ` Mi, Dapeng
2026-06-12 9:01 ` [Patch v3 6/8] perf/x86/intel: Drop fixed-counter PEBS constraints for baseline PEBS Dapeng Mi
2026-06-12 9:01 ` [Patch v3 7/8] perf/core: Fix kernel register info leak via hardware skid Dapeng Mi
2026-06-12 9:01 ` [Patch v3 8/8] perf/core: Check kernel access when kernel callchains are requested Dapeng Mi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612091842.8E8AB1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dapeng1.mi@linux.intel.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.