From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: sashiko@lists.linux.dev
Cc: linux-perf-users@vger.kernel.org, Ian Rogers <irogers@google.com>,
Namhyung Kim <namhyung@kernel.org>
Subject: Re: [PATCH 4/5] perf header: Validate bitmap size before allocating in do_read_bitmap()
Date: Thu, 16 Apr 2026 12:26:31 -0300 [thread overview]
Message-ID: <aeD_p9iGYlNNSSNZ@x1> (raw)
In-Reply-To: <20260416022540.287E3C19424@smtp.kernel.org>
On Thu, Apr 16, 2026 at 02:25:38AM +0000, sashiko-bot@kernel.org wrote:
> Sashiko AI review found 1 potential issue(s):
> - [High] Integer overflow in process_mem_topology() leading to heap buffer overflow
> --
>
> commit cc7a509cea916b4f4ae9c056c5eb0517bac22dfa
> Author: Arnaldo Carvalho de Melo <acme@redhat.com>
>
> perf header: Validate bitmap size before allocating in do_read_bitmap()
>
> This patch updates do_read_bitmap() to validate the u64 bit count read
> from the file before allocating memory. It rejects sizes that exceed
> INT_MAX or exceed the remaining section bounds, preventing potential
> large allocations or truncation issues with bitmap_zalloc().
>
> Link: https://lore.kernel.org/linux-perf-users/20260414224622.2AE69C19425@smtp.kernel.org/
>
> > diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> > index 696f19739074e..89697aec914c9 100644
> > --- a/tools/perf/util/header.c
> > +++ b/tools/perf/util/header.c
> > @@ -290,6 +290,11 @@ static int do_read_bitmap(struct feat_fd *ff, unsigned long **pset, u64 *psize)
> > if (ret)
> > return ret;
> >
> > + /* bitmap_zalloc() takes an int; reject u64 values that truncate. */
> > + if (size > INT_MAX ||
> > + BITS_TO_U64(size) > (ff->size - ff->offset) / sizeof(u64))
> > + return -1;
> > +
> > set = bitmap_zalloc(size);
> > if (!set)
> > return -ENOMEM;
>
> This isn't a bug introduced by this patch, but since the commit message notes
> that do_read_bitmap() is used by process_mem_topology(), does the same missing
> validation exist when allocating the nodes array in process_mem_topology()?
>
> tools/perf/util/header.c:process_mem_topology() {
> ...
> if (do_read_u64(ff, &nr))
> return -1;
>
> nodes = zalloc(sizeof(*nodes) * nr);
This code now already has a bounds check and is using calloc:
if (do_read_u64(ff, &nr))
return -1;
if (nr > MAX_NUMA_NODES) {
pr_err("Invalid HEADER_MEM_TOPOLOGY: nr_nodes (%llu) > %u\n",
(unsigned long long)nr, MAX_NUMA_NODES);
return -1;
}
if (ff->size < 3 * sizeof(u64) + nr * 2 * sizeof(u64)) {
pr_err("Invalid HEADER_MEM_TOPOLOGY: section too small (%zu) for %llu nodes\n",
ff->size, (unsigned long long)nr);
return -1;
}
nodes = calloc(nr, sizeof(*nodes));
if (!nodes)
return -1;
Probably you're working with upstream and the fixes are in
perf-tools-next/perf-tools-next.
> if (!nodes)
> return -1;
>
> for (i = 0; i < nr; i++) {
> struct memory_node n;
> ...
> nodes[i] = n;
> }
> ...
> }
>
> Because nr is an unvalidated 64-bit integer read from perf.data, could a
> crafted value like 0x2000000000000000 cause the 64-bit multiplication
> (24 * nr) to wrap around to 0 during the zalloc() call?
>
> If zalloc(0) succeeds and allocates a minimum-sized heap chunk, the loop
> could iterate and write beyond the allocated bounds when assigning
> nodes[i] = n on subsequent iterations.
>
> Could this overflow the nodes[] buffer?
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260416001424.362797-1-acme@kernel.org?part=4
next prev parent reply other threads:[~2026-04-16 15:26 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 0:14 [PATCHES 0/5 v2] More perf.data header validation Arnaldo Carvalho de Melo
2026-04-16 0:14 ` [PATCH 1/5] perf header: Add section bounds checking to the fd read path Arnaldo Carvalho de Melo
2026-04-16 0:59 ` sashiko-bot
2026-04-16 14:43 ` Arnaldo Carvalho de Melo
2026-04-16 0:14 ` [PATCH 2/5] perf header: Validate string length before allocating in do_read_string() Arnaldo Carvalho de Melo
2026-04-16 0:14 ` [PATCH 3/5] perf header: Sanity check HEADER_EVENT_DESC Arnaldo Carvalho de Melo
2026-04-16 1:54 ` sashiko-bot
2026-04-16 15:11 ` Arnaldo Carvalho de Melo
2026-04-16 0:14 ` [PATCH 4/5] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-04-16 2:25 ` sashiko-bot
2026-04-16 15:26 ` Arnaldo Carvalho de Melo [this message]
2026-04-16 0:14 ` [PATCH 5/5] perf header: Fix 32-bit incompatibility in bitmap serialization Arnaldo Carvalho de Melo
2026-04-16 13:17 ` [PATCHES 0/5 v2] More perf.data header validation James Clark
2026-04-16 15:28 ` Arnaldo Carvalho de Melo
2026-04-16 16:46 ` Namhyung Kim
2026-04-16 19:35 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeD_p9iGYlNNSSNZ@x1 \
--to=acme@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=namhyung@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.