From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v1 08/13] perf python: Check counts_values size in set_values
Date: Tue, 23 Jun 2026 22:08:48 +0000 [thread overview]
Message-ID: <20260623220849.4D5291F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260623053515.2677888-9-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] The Python bindings for `perf_counts_values` incorrectly use 32-bit-limited C `long` functions and types for `uint64_t` data, leading to data truncation on 32-bit platforms, incorrect negative values, and unhandled `OverflowError` exceptions causing fatal `SystemError` crashes.
- [High] Deleting the `.values` attribute from Python causes a segmentation fault due to a NULL pointer dereference in the property setter.
--
commit a4cb87d6d79ff9be6c884154fa1d1f913fe545d5
Author: Ian Rogers <irogers@google.com>
perf python: Check counts_values size in set_values
The set_values function incorrectly assumed the list contained exactly
5 elements. Add a check to prevent out-of-bounds access.
> diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
> index 21e8b5a23a1c9..f9398bc30a80b 100644
> --- a/tools/perf/util/python.c
> +++ b/tools/perf/util/python.c
> @@ -1913,6 +1913,11 @@ static int pyrf_counts_values_set_values(struct pyrf_counts_values *self, PyObje
> }
[Severity: High]
This is a pre-existing issue, but does this function cause a NULL pointer
dereference when the attribute is deleted?
Just above this context in pyrf_counts_values_set_values():
if (!PyList_Check(list)) {
PyErr_SetString(PyExc_TypeError, "Value assigned must be a list");
return -1;
}
If a user executes del obj.values from Python code, the Python C API calls
the property setter with list set to NULL. Passing a NULL list directly into
PyList_Check(list) will dereference the object to check its type, which
causes an immediate segmentation fault.
>
> size = PyList_Size(list);
> + if (size != 5) {
> + PyErr_SetString(PyExc_ValueError, "List must have exactly 5 entries");
> + return -1;
> + }
> +
> for (Py_ssize_t i = 0; i < size; i++) {
> item = PyList_GetItem(list, i);
> if (!PyLong_Check(item)) {
[Severity: High]
This is a pre-existing issue, but can this loop lead to data truncation or
crash the interpreter?
Just below this context in pyrf_counts_values_set_values():
self->values.values[i] = PyLong_AsLong(item);
}
Since self->values.values stores uint64_t data, assigning the result of
PyLong_AsLong (which returns a signed C long) can truncate data on 32-bit
platforms or produce incorrect negative values.
Additionally, if PyLong_AsLong raises an OverflowError for very large
integers, the error is silently ignored and 0 is returned to the interpreter,
which triggers a fatal SystemError crash.
The same underlying issue appears in other places where we expose uint64_t
data:
tools/perf/util/python.c:pyrf_counts_values_get_values()
for (int i = 0; i < 5; i++)
PyList_SetItem(vals, i, PyLong_FromLong(self->values.values[i]));
tools/perf/util/python.c:pyrf_counts_values_members
counts_values_member_def(val, T_ULONG, "Value of event"),
Should we be using 64-bit functions like PyLong_AsUnsignedLongLong() and
PyLong_FromUnsignedLongLong(), and ensuring exceptions are caught?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623053515.2677888-1-irogers@google.com?part=8
next prev parent reply other threads:[~2026-06-23 22:08 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 5:35 [PATCH v1 00/13] perf python: Fix python extension bugs and memory leaks Ian Rogers
2026-06-23 5:35 ` [PATCH v1 01/13] perf script: Fix metric_evlist leak in script_find_metrics Ian Rogers
2026-06-23 5:35 ` [PATCH v1 02/13] perf stat: Fix evsel_list leak in cmd_stat Ian Rogers
2026-06-23 5:35 ` [PATCH v1 03/13] perf top: Fix sb_evlist leak Ian Rogers
2026-06-23 21:26 ` sashiko-bot
2026-06-23 5:35 ` [PATCH v1 04/13] perf python: Fix memory leak in pyrf_evlist__get_pollfd Ian Rogers
2026-06-23 21:34 ` sashiko-bot
2026-06-23 5:35 ` [PATCH v1 05/13] perf synthetic-events: Fix uninitialized pthread_join Ian Rogers
2026-06-23 21:41 ` sashiko-bot
2026-06-23 5:35 ` [PATCH v1 06/13] perf data: Fix directory file descriptor leak in perf_data__switch Ian Rogers
2026-06-23 5:35 ` [PATCH v1 07/13] perf test: Fix skiplist leak in cmd_test Ian Rogers
2026-06-23 5:35 ` [PATCH v1 08/13] perf python: Check counts_values size in set_values Ian Rogers
2026-06-23 22:08 ` sashiko-bot [this message]
2026-06-23 5:35 ` [PATCH v1 09/13] perf python: Validate CPU and thread maps in pyrf_evsel__open Ian Rogers
2026-06-23 22:17 ` sashiko-bot
2026-06-23 5:35 ` [PATCH v1 10/13] perf python: Validate attribute setters in pyrf_evsel Ian Rogers
2026-06-23 5:35 ` [PATCH v1 11/13] perf python: Zero initialize perf_data in pyrf_data__init Ian Rogers
2026-06-23 22:44 ` sashiko-bot
2026-06-23 5:35 ` [PATCH v1 12/13] perf python: Add thread uninitialized checks Ian Rogers
2026-06-23 22:49 ` sashiko-bot
2026-06-23 5:35 ` [PATCH v1 13/13] perf python: Fix MetricGroup return type in perf.pyi Ian Rogers
2026-06-23 22:41 ` sashiko-bot
2026-06-24 5:15 ` [PATCH v2 00/16] perf python: Fix python extension bugs from v19 review Ian Rogers
2026-06-24 5:15 ` [PATCH v2 01/16] perf script: Fix metric_evlist leak in script_find_metrics Ian Rogers
2026-06-24 5:15 ` [PATCH v2 02/16] perf stat: Fix evsel_list leak in cmd_stat Ian Rogers
2026-06-24 5:15 ` [PATCH v2 03/16] perf tools: Fix sb_evlist leaks in top and record Ian Rogers
2026-06-24 5:15 ` [PATCH v2 03/16] perf top: Fix sb_evlist leak Ian Rogers
2026-06-24 5:15 ` [PATCH v2 04/16] perf python: Fix memory leak in pyrf_evlist__get_pollfd Ian Rogers
2026-06-24 5:15 ` [PATCH v2 05/16] perf synthetic-events: Fix uninitialized pthread_join Ian Rogers
2026-06-24 5:15 ` [PATCH v2 06/16] perf data: Fix directory file descriptor leak in perf_data__switch Ian Rogers
2026-06-24 5:15 ` [PATCH v2 07/16] perf test: Fix skiplist leak in cmd_test Ian Rogers
2026-06-24 5:15 ` [PATCH v2 08/16] perf python: Check counts_values size in set_values Ian Rogers
2026-06-24 5:15 ` [PATCH v2 09/16] perf python: Validate CPU and thread maps in pyrf_evsel__open Ian Rogers
2026-06-24 5:15 ` [PATCH v2 10/16] perf python: Validate attribute setters in pyrf_evsel Ian Rogers
2026-06-24 5:15 ` [PATCH v2 11/16] perf python: Zero initialize perf_data in pyrf_data__init Ian Rogers
2026-06-24 5:15 ` [PATCH v2 12/16] perf python: Add thread and PMU uninitialized checks Ian Rogers
2026-06-24 5:15 ` [PATCH v2 13/16] perf python: Fix MetricGroup return type in perf.pyi Ian Rogers
2026-06-24 5:15 ` [PATCH v2 14/16] perf python: Fix count_values memory leak in pyrf_evsel__read Ian Rogers
2026-06-24 5:15 ` [PATCH v2 15/16] perf python: Fix memory leak in pyrf__metrics_cb Ian Rogers
2026-06-24 5:15 ` [PATCH v2 16/16] perf synthetic-events: Fix divide by zero in perf_event__synthesize_threads Ian Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623220849.4D5291F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.