Re: [PATCH 8/9] perf bpf: Validate array presence before casting BPF prog info pointers

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] The patch adds array bitmask validation for `JITED_KSYMS` and `JITED_FUNC_LENS` in `__bpf_event__print_bpf_prog_info()`, but fails to include `PROG_TAGS` and `FUNC_INFO`. This leaves the function vulnerable to arbitrary pointer dereferences when calling `synthesize_bpf_prog_name()`.
- [High] The patch completely misses adding array bitmask validations to `symbol__disassemble_bpf_libbfd()` in `libbfd.c`, leaving it vulnerable to unconverted pointer dereferences.
--

commit 07052c4321d3973c606cfca5a84ae676ff46cd05
Author: Arnaldo Carvalho de Melo <acme@redhat.com>

perf bpf: Validate array presence before casting BPF prog info pointers

This patch adds array bitmask validation to several perf.data processing paths
to ensure that bpf_prog_info file offsets are properly converted to valid
pointers before being dereferenced.

> Add array bitmask validation to all perf.data processing paths:
> 
>   - __bpf_event__print_bpf_prog_info(): check JITED_KSYMS and
>     JITED_FUNC_LENS (changed to take struct perf_bpil *)
>   - machine__process_bpf_event_load(): check JITED_KSYMS
>   - bpf_read(): check JITED_INSNS before memcpy from jited_prog_insns
>   - dso__disassemble_filename(): check JITED_INSNS before returning
>     jited_prog_insns pointer

[Severity: High]
This isn't a bug introduced by this patch, but does this miss the
processing path in symbol__disassemble_bpf_libbfd() in
tools/perf/util/libbfd.c?

Looking at symbol__disassemble_bpf_libbfd(), it also casts and
dereferences jited_prog_insns and jited_ksyms without verifying their
corresponding PERF_BPIL_ bits are set:

tools/perf/util/libbfd.c:symbol__disassemble_bpf_libbfd() {
    ...
    info.buffer = (void *)(uintptr_t)(info_linear->info.jited_prog_insns);
    ...
    addr = pc + ((u64 *)(uintptr_t)(info_linear->info.jited_ksyms))[sub_id];
    ...
}

Can a crafted perf.data missing these arrays still cause arbitrary memory
reads or segmentation faults during offline disassembly via perf annotate?

> diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
> index 57d53ba848359..fa3ebc8ea7f09 100644
> --- a/tools/perf/util/bpf-event.c
> +++ b/tools/perf/util/bpf-event.c

[ ... ]

> @@ -959,12 +963,15 @@ int evlist__add_bpf_sb_event(struct evlist *evlist, struct perf_env *env)
>  	return evlist__add_sb_event(evlist, &attr, bpf_event__sb_cb, env);
>  }
>  
> -void __bpf_event__print_bpf_prog_info(struct bpf_prog_info *info,
> +void __bpf_event__print_bpf_prog_info(struct perf_bpil *info_linear,
>  				      struct perf_env *env,
>  				      FILE *fp)
>  {
> -	__u32 *prog_lens = (__u32 *)(uintptr_t)(info->jited_func_lens);
> -	__u64 *prog_addrs = (__u64 *)(uintptr_t)(info->jited_ksyms);
> +	struct bpf_prog_info *info = &info_linear->info;
> +	__u64 required_arrays = (1UL << PERF_BPIL_JITED_KSYMS) |
> +				(1UL << PERF_BPIL_JITED_FUNC_LENS);

[Severity: High]
This is a pre-existing issue, but does this bitmask also need to include
PERF_BPIL_PROG_TAGS and PERF_BPIL_FUNC_INFO?

Later in this function, synthesize_bpf_prog_name() is called, which accesses
info->prog_tags without checking if it was converted from a file offset:

tools/perf/util/bpf-event.c:synthesize_bpf_prog_name() {
    ...
    name_len += snprintf_hex(buf + name_len, size - name_len,
                             prog_tags[sub_id], BPF_TAG_SIZE);
    ...
}

If a crafted perf.data omits PERF_BPIL_PROG_TAGS from the arrays bitmask
but provides matching counts (e.g., nr_prog_tags == nr_jited_ksyms),
could this dereference unconverted file offsets and cause a crash
during perf report?

>  	char name[KSYM_NAME_LEN];
>  	struct btf *btf = NULL;
>  	u32 sub_prog_cnt, i;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260616022715.5739-1-acme@kernel.org?part=8