From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 7/8] perf tools: Use calloc() where applicable
Date: Wed, 08 Apr 2026 18:47:35 +0000 [thread overview]
Message-ID: <20260408184736.6F572C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260408173203.96700-8-acme@kernel.org>
Sashiko AI review found 2 potential issue(s):
- [High] Integer truncation in process_mem_topology() leads to an undersized allocation and a heap buffer overflow when parsing a crafted perf.data file.
- [High] Integer truncation in mem2node__init() via bitmap_weight() and test_bit() causes an undersized allocation and heap buffer overflow.
--
commit 06556b26772333b2ba2aa88d01fed0ea985e6ec4
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf tools: Use calloc() where applicable
This commit replaces instances of zalloc with calloc across the perf tools
codebase to better handle array allocations. It also adjusts includes for
the standard library and kernel zalloc headers where dependencies changed.
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
[ ... ]
> @@ -3260,7 +3260,7 @@ static int process_mem_topology(struct feat_fd *ff,
> if (do_read_u64(ff, &nr))
> return -1;
>
> - nodes = zalloc(sizeof(*nodes) * nr);
> + nodes = calloc(nr, sizeof(*nodes));
While not introduced by this patch, nr is read as a u64 from the file.
On 32-bit architectures, passing it to calloc, which takes size_t,
truncates it. For example, if nr is 0x100000002, calloc allocates space for
only 2 elements.
However, the subsequent loop for (i = 0; i < nr; i++) uses the full 64-bit
nr value. Could this result in a heap buffer overflow when reading the
entries if parsing a crafted perf.data file?
> diff --git a/tools/perf/util/mem2node.c b/tools/perf/util/mem2node.c
> --- a/tools/perf/util/mem2node.c
> +++ b/tools/perf/util/mem2node.c
[ ... ]
> @@ -59,7 +59,7 @@ int mem2node__init(struct mem2node *map, struct perf_env *env)
> max += bitmap_weight(n->set, n->size);
> }
>
> - entries = zalloc(sizeof(*entries) * max);
> + entries = calloc(max, sizeof(*entries));
Similarly, in the preceding loop, n->size is a u64, but bitmap_weight
expects an unsigned int for the number of bits. If n->size exceeds 32 bits,
it is truncated, resulting in max being too small and an undersized
allocation here.
Later, the loop for (bit = 0; bit < n->size; bit++) iterates u64 times
and calls test_bit(bit, n->set). Since test_bit expects an int or unsigned
int, bit is also truncated. Will this repeatedly re-test the first 32 bits
and cause out-of-bounds writes into the entries array?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260408173203.96700-1-acme@kernel.org?part=7
next prev parent reply other threads:[~2026-04-08 18:47 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 17:31 [PATCHES perf-tools-next v6 0/8] Cleanups and fixes Arnaldo Carvalho de Melo
2026-04-08 17:31 ` [PATCH 1/8] perf symbols: Make variable receiving result strrchr() const Arnaldo Carvalho de Melo
2026-04-08 17:31 ` [PATCH 2/8] perf util: Kill die() prototype, dead for a long time Arnaldo Carvalho de Melo
2026-04-08 17:31 ` [PATCH 3/8] perf tools: Make more global variables static Arnaldo Carvalho de Melo
2026-04-08 17:31 ` [PATCH 4/8] perf bench: Constify tables Arnaldo Carvalho de Melo
2026-04-08 17:32 ` [PATCH 5/8] perf header: Use a max number of command line args Arnaldo Carvalho de Melo
2026-04-08 18:09 ` sashiko-bot
2026-04-08 17:32 ` [PATCH 6/8] perf header: Do validation of perf.data HEADER_CPU_DOMAIN_INFO Arnaldo Carvalho de Melo
2026-04-08 18:28 ` sashiko-bot
2026-04-08 17:32 ` [PATCH 7/8] perf tools: Use calloc() where applicable Arnaldo Carvalho de Melo
2026-04-08 18:47 ` sashiko-bot [this message]
2026-04-08 17:32 ` [PATCH 8/8] perf tools: Replace basename() calls with perf_basename() Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-04-08 17:28 [PATCHES perf-tools-next v5 0/7] Cleanups and fixes Arnaldo Carvalho de Melo
2026-04-08 17:28 ` [PATCH 7/8] perf tools: Use calloc() where applicable Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408184736.6F572C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox