From: sashiko-bot@kernel.org
To: "Tanushree Shah" <tshah@linux.ibm.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v2] perf dso: Fix kallsyms DSO detection with fallback logic
Date: Thu, 16 Apr 2026 11:09:04 +0000 [thread overview]
Message-ID: <20260416110905.3A68AC2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260416091657.578429-2-tshah@linux.ibm.com>
Sashiko AI review found 2 potential issue(s):
- [High] Path Traversal and Information Disclosure due to `strncmp` matching any prefix.
- [Medium] Incomplete fix: Fallback logic is missing from `dso__is_kcore()` and `dso__is_vmlinux()`.
--
commit 9ee80283f13c6a0a5235a2add7a94736c1dfcbba
Author: Tanushree Shah <tshah@linux.ibm.com>
perf dso: Fix kallsyms DSO detection with fallback logic
This commit fixes an issue where kallsyms DSOs are not correctly identified
during build-id injection because the dso_binary_type is not yet set. It
adds a fallback string matching check against the DSO's long_name.
> diff --git a/tools/perf/util/dso.h b/tools/perf/util/dso.h
> index ede691e9a2495..515ab6e95b0e4 100644
> --- a/tools/perf/util/dso.h
> +++ b/tools/perf/util/dso.h
[ ... ]
> @@ -915,6 +917,14 @@ static inline bool dso__is_kallsyms(const struct dso *dso)
> {
> enum dso_binary_type bt = dso__binary_type(dso);
>
> + if (bt == DSO_BINARY_TYPE__NOT_FOUND) {
Since the fallback logic was added here because dso_binary_type(dso) is
DSO_BINARY_TYPE__NOT_FOUND during perf record and inject, do dso__is_kcore()
and dso__is_vmlinux() require a similar fallback?
Looking at dso__cache_build_id(), it relies on dso__is_kcore() to flag the
DSO for special caching logic. If dso__is_kcore() returns false during
build-id caching, kcore DSOs are treated as regular files, which causes
nsinfo__realpath() to fail and breaks perf archive for kcore sessions.
> + return RC_CHK_ACCESS(dso)->kernel &&
> + ((strncmp(RC_CHK_ACCESS(dso)->long_name, DSO__NAME_KALLSYMS,
> + strlen(DSO__NAME_KALLSYMS)) == 0) ||
Does using strncmp() here allow a path traversal if long_name is
intentionally crafted?
If a malicious perf.data file contains an MMAP event with a filename like
"[kernel.kallsyms]/../../../../tmp/leak", this prefix check evaluates
to true.
Could this allow build_id_cache__cachedir() to construct a cache directory
using this malicious path, causing build_id_cache__add() to unconditionally
copy the host's /proc/kallsyms into an attacker-controlled directory?
> + (strncmp(RC_CHK_ACCESS(dso)->long_name, DSO__PREFIX_GUEST_KALLSYMS,
> + strlen(DSO__PREFIX_GUEST_KALLSYMS)) == 0));
> + }
> +
> return bt == DSO_BINARY_TYPE__KALLSYMS || bt == DSO_BINARY_TYPE__GUEST_KALLSYMS;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260416091657.578429-2-tshah@linux.ibm.com?part=1
prev parent reply other threads:[~2026-04-16 11:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 9:16 [PATCH v2] perf dso: Fix kallsyms DSO detection with fallback logic Tanushree Shah
2026-04-16 11:09 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416110905.3A68AC2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=tshah@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox