* Re: [PATCH] perf branch: Fix heap out-of-bounds write in branch_type_count() [not found] <20250809093812.308027-1-yujundong@pascal-lab.net> @ 2025-08-11 7:03 ` Anshuman Khandual 2025-08-12 7:31 ` Yujun Dong 0 siblings, 1 reply; 3+ messages in thread From: Anshuman Khandual @ 2025-08-11 7:03 UTC (permalink / raw) To: Yujun Dong, linux-perf-users Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa, Ian Rogers, Adrian Hunter, Liang, Kan, linux-kernel On 09/08/25 3:08 PM, Yujun Dong wrote: > The branch_type_count() function writes to st->new_counts[flags->new_type] > when flags->type is PERF_BR_EXTEND_ABI. However, while the array > st->new_counts is sized for PERF_BR_NEW_MAX (8) entries, the field > flags->new_type is a 4-bit unsigned value and may hold values up to 15. > > This mismatch allows crafted perf data to trigger a heap out-of-bounds > write when flags->new_type >= 8, leading to memory corruption. Crafted ? How could flags->new_type >= 8 when PERF_BR_NEW_MAX is capped at 8. Is this a real scenario that happened on a system ? > > Add a bounds check to ensure flags->new_type is less than > PERF_BR_NEW_MAX before accessing the new_counts array. But it might make sense to add this check just to be on the safer side. > > Fixes: 0ddea8e2a0c2 ("perf branch: Extend branch type classification") > Signed-off-by: Yujun Dong <yujundong@pascal-lab.net> > --- > tools/perf/util/branch.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/tools/perf/util/branch.c b/tools/perf/util/branch.c > index 3712be067464..8ea6628c7735 100644 > --- a/tools/perf/util/branch.c > +++ b/tools/perf/util/branch.c > @@ -21,10 +21,12 @@ void branch_type_count(struct branch_type_stat *st, struct branch_flags *flags, > if (flags->type == PERF_BR_UNKNOWN || from == 0) > return; > > - if (flags->type == PERF_BR_EXTEND_ABI) > - st->new_counts[flags->new_type]++; > - else > + if (flags->type == PERF_BR_EXTEND_ABI) { > + if (flags->new_type < PERF_BR_NEW_MAX) > + st->new_counts[flags->new_type]++; > + } else { > st->counts[flags->type]++; > + } > > if (flags->type == PERF_BR_COND) { > if (to > from) ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] perf branch: Fix heap out-of-bounds write in branch_type_count() 2025-08-11 7:03 ` [PATCH] perf branch: Fix heap out-of-bounds write in branch_type_count() Anshuman Khandual @ 2025-08-12 7:31 ` Yujun Dong 2025-08-13 14:20 ` Anshuman Khandual 0 siblings, 1 reply; 3+ messages in thread From: Yujun Dong @ 2025-08-12 7:31 UTC (permalink / raw) To: Anshuman Khandual, linux-perf-users Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa, Ian Rogers, Adrian Hunter, Liang, Kan, linux-kernel On 2025/8/11 15:03, Anshuman Khandual wrote: > On 09/08/25 3:08 PM, Yujun Dong wrote: > > The branch_type_count() function writes to st->new_counts[flags->new_type] > > when flags->type is PERF_BR_EXTEND_ABI. However, while the array > > st->new_counts is sized for PERF_BR_NEW_MAX (8) entries, the field > > flags->new_type is a 4-bit unsigned value and may hold values up to 15. > > > > This mismatch allows crafted perf data to trigger a heap out-of-bounds > > write when flags->new_type >= 8, leading to memory corruption. > > Crafted ? How could flags->new_type >= 8 when PERF_BR_NEW_MAX is capped at 8. > Is this a real scenario that happened on a system ? > Thanks for your review and for raising that question. The new_type field in struct branch_flags is declared as a 4-bit bitfield (u64 new_type:4), meaning it can hold values from 0 to 15, even though PERF_BR_NEW_MAX is defined as 8. So, it's entirely possible for flags->new_type to be >= 8. In fact, I've observed such cases when running real-world perf record/top, where perf.data produced contains invalid new_type values, likely due to other bugs or unexpected data corruption. Additionally, a maliciously crafted perf.data file can also force this out-of-bounds write. > > > > Add a bounds check to ensure flags->new_type is less than > > PERF_BR_NEW_MAX before accessing the new_counts array. > > But it might make sense to add this check just to be on the safer side. > Notably, new_type is only used in two places: 1. In branch_new_type_name(), where the bounds are already validated. 2. In branch_type_count(), where the current patch now adds the necessary check. Admittedly, the mismatch between the bit-field width (0-15) and PERF_BR_NEW_MAX (8) is the root cause. While adjusting the bit-field to match PERF_BR_NEW_MAX would also resolve the mismatch, that risks breaking existing compatibility. Therefore, adding a bounds check at the use site is the least disruptive correction. > > > > Fixes: 0ddea8e2a0c2 ("perf branch: Extend branch type classification") > > Signed-off-by: Yujun Dong <yujundong@pascal-lab.net> > > --- > > tools/perf/util/branch.c | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/tools/perf/util/branch.c b/tools/perf/util/branch.c > > index 3712be067464..8ea6628c7735 100644 > > --- a/tools/perf/util/branch.c > > +++ b/tools/perf/util/branch.c > > @@ -21,10 +21,12 @@ void branch_type_count(struct branch_type_stat *st, struct branch_flags *flags, > > if (flags->type == PERF_BR_UNKNOWN || from == 0) > > return; > > > > - if (flags->type == PERF_BR_EXTEND_ABI) > > - st->new_counts[flags->new_type]++; > > - else > > + if (flags->type == PERF_BR_EXTEND_ABI) { > > + if (flags->new_type < PERF_BR_NEW_MAX) > > + st->new_counts[flags->new_type]++; > > + } else { > > st->counts[flags->type]++; > > + } > > > > if (flags->type == PERF_BR_COND) { > > if (to > from) > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] perf branch: Fix heap out-of-bounds write in branch_type_count() 2025-08-12 7:31 ` Yujun Dong @ 2025-08-13 14:20 ` Anshuman Khandual 0 siblings, 0 replies; 3+ messages in thread From: Anshuman Khandual @ 2025-08-13 14:20 UTC (permalink / raw) To: Yujun Dong, linux-perf-users Cc: Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo, Namhyung Kim, Mark Rutland, Alexander Shishkin, Jiri Olsa, Ian Rogers, Adrian Hunter, Liang, Kan, linux-kernel On 12/08/25 1:01 PM, Yujun Dong wrote: > On 2025/8/11 15:03, Anshuman Khandual wrote: >> On 09/08/25 3:08 PM, Yujun Dong wrote: >> > The branch_type_count() function writes to st->new_counts[flags->new_type] >> > when flags->type is PERF_BR_EXTEND_ABI. However, while the array >> > st->new_counts is sized for PERF_BR_NEW_MAX (8) entries, the field >> > flags->new_type is a 4-bit unsigned value and may hold values up to 15. >> > >> > This mismatch allows crafted perf data to trigger a heap out-of-bounds >> > write when flags->new_type >= 8, leading to memory corruption. >> >> Crafted ? How could flags->new_type >= 8 when PERF_BR_NEW_MAX is capped at 8. >> Is this a real scenario that happened on a system ? >> > > Thanks for your review and for raising that question. The new_type field > in struct branch_flags is declared as a 4-bit bitfield (u64 new_type:4), > meaning it can hold values from 0 to 15, even though PERF_BR_NEW_MAX is > defined as 8. So, it's entirely possible for flags->new_type to be >= 8. Sure it is possible but not probable I guess as new_type itself would be first guarded by PERF_BR_NEW_MAX. > > In fact, I've observed such cases when running real-world perf record/top, > where perf.data produced contains invalid new_type values, likely due to > other bugs or unexpected data corruption. Additionally, a maliciously > crafted perf.data file can also force this out-of-bounds write. Agreed. > >> > >> > Add a bounds check to ensure flags->new_type is less than >> > PERF_BR_NEW_MAX before accessing the new_counts array. >> >> But it might make sense to add this check just to be on the safer side. >> > > Notably, new_type is only used in two places: > 1. In branch_new_type_name(), where the bounds are already validated. > 2. In branch_type_count(), where the current patch now adds the > necessary check. Agreed - this change will ensure consistency across both the functions. > > Admittedly, the mismatch between the bit-field width (0-15) and > PERF_BR_NEW_MAX (8) is the root cause. While adjusting the bit-field > to match PERF_BR_NEW_MAX would also resolve the mismatch, that risks > breaking existing compatibility. Therefore, adding a bounds check at > the use site is the least disruptive correction. Right, increasing PERF_BR_NEW_MAX to 15 will not be desirable. > >> > >> > Fixes: 0ddea8e2a0c2 ("perf branch: Extend branch type classification") >> > Signed-off-by: Yujun Dong <yujundong@pascal-lab.net> >> > --- >> > tools/perf/util/branch.c | 8 +++++--- >> > 1 file changed, 5 insertions(+), 3 deletions(-) >> > >> > diff --git a/tools/perf/util/branch.c b/tools/perf/util/branch.c >> > index 3712be067464..8ea6628c7735 100644 >> > --- a/tools/perf/util/branch.c >> > +++ b/tools/perf/util/branch.c >> > @@ -21,10 +21,12 @@ void branch_type_count(struct branch_type_stat *st, struct branch_flags *flags, >> > if (flags->type == PERF_BR_UNKNOWN || from == 0) >> > return; >> > >> > - if (flags->type == PERF_BR_EXTEND_ABI) >> > - st->new_counts[flags->new_type]++; >> > - else >> > + if (flags->type == PERF_BR_EXTEND_ABI) { >> > + if (flags->new_type < PERF_BR_NEW_MAX) >> > + st->new_counts[flags->new_type]++; >> > + } else { >> > st->counts[flags->type]++; >> > + } >> > >> > if (flags->type == PERF_BR_COND) { >> > if (to > from) >> >Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com> ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-08-13 14:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20250809093812.308027-1-yujundong@pascal-lab.net>
2025-08-11 7:03 ` [PATCH] perf branch: Fix heap out-of-bounds write in branch_type_count() Anshuman Khandual
2025-08-12 7:31 ` Yujun Dong
2025-08-13 14:20 ` Anshuman Khandual
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).