From: sashiko-bot@kernel.org
To: "Jakub Brnak" <jbrnak@redhat.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v7 6/7] perf test: Remove perftool drivers
Date: Thu, 16 Apr 2026 19:08:13 +0000 [thread overview]
Message-ID: <20260416190814.84A16C2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260416111419.385010-7-jbrnak@redhat.com>
Sashiko AI review found 1 potential issue(s):
- [Critical] Out-of-bounds stack write in `append_script_to_suite` and `prepare_test_suite` when reading directory paths via `/proc/self/fd/`.
--
commit 1230f358b280e45e7854550cfac958f0de10d7ac
Author: Jakub Brnak <jbrnak@redhat.com>
perf test: Remove perftool drivers
The perf now provides all of the features required for running the
perftool test cases, such as creating log directories, running
setup scripts and the tests are structured by the base_ directories.
[ ... ]
> diff --git a/tools/perf/tests/tests-scripts.c b/tools/perf/tests/tests-scripts.c
> index fc5e1b835ecc3..a83e30ee4a099 100644
> --- a/tools/perf/tests/tests-scripts.c
> +++ b/tools/perf/tests/tests-scripts.c
> @@ -487,9 +487,6 @@ static void append_suites_in_dir(int dir_fd,
> if (!is_directory_fd(dir_fd, ent))
> continue;
>
> - if (strncmp(ent->d_name, "base_", 5) == 0)
> - continue; /* Skip scripts that have a separate driver. */
> -
Since this patch exposes base_ directories to the parsing logic, can this
lead to an out-of-bounds stack write in append_script_to_suite() when reading
directory paths via /proc/self/fd/?
Looking at append_script_to_suite(), readlink() reads the directory path into
a stack buffer file_name[PATH_MAX]:
append_script_to_suite() {
...
char file_name[PATH_MAX], link[128];
...
len = readlink(link, file_name, sizeof(file_name));
if (len < 0) {
...
}
file_name[len++] = '/';
strcpy(&file_name[len], name);
...
}
readlink() does not null-terminate and returns up to the buffer size.
If the directory's absolute path length is PATH_MAX or greater, readlink()
returns PATH_MAX.
The subsequent code file_name[len++] = '/' then writes to file_name[PATH_MAX],
which is past the end of the array.
Does the following strcpy() overflow file_name[], causing a regression with
a stack buffer overflow?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260416111419.385010-1-jbrnak@redhat.com?part=6
next prev parent reply other threads:[~2026-04-16 19:08 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 11:14 [PATCH v7 0/7] Introduce structure for shell tests Jakub Brnak
2026-04-16 11:14 ` [PATCH v7 1/7] perf tests: Create a " Jakub Brnak
2026-04-16 11:38 ` sashiko-bot
2026-04-16 11:14 ` [PATCH v7 2/7] perf test: Provide setup for the shell test suite Jakub Brnak
2026-04-16 12:07 ` sashiko-bot
2026-04-16 11:14 ` [PATCH v7 3/7] perf test: Add empty setup for base_probe Jakub Brnak
2026-04-16 11:14 ` [PATCH v7 4/7] perf test: Introduce storing logs for shell tests Jakub Brnak
2026-04-16 18:30 ` sashiko-bot
2026-04-16 11:14 ` [PATCH v7 5/7] perf test: Format log directories " Jakub Brnak
2026-04-16 18:56 ` sashiko-bot
2026-04-16 11:14 ` [PATCH v7 6/7] perf test: Remove perftool drivers Jakub Brnak
2026-04-16 19:08 ` sashiko-bot [this message]
2026-04-16 11:14 ` [PATCH v7 7/7] perf test: Fix relative path for 'stderr-whitelist.txt' Jakub Brnak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416190814.84A16C2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=jbrnak@redhat.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox