Re: [PATCH V3] tools/perf: Fix the check for parameterized field in event term

[sashiko-bot@kernel.org]

Sashiko AI review found 1 potential issue(s):
- [High] Unconditional increment of `buf_used` causes unsigned integer underflow leading to a stack buffer overflow.
--

commit 105f365626ee620dbee6f08aafbe58eaca32755c
Author: Athira Rajeev <atrajeev@linux.ibm.com>

tools/perf: Fix the check for parameterized field in event term

This commit fixes the event term checking by changing strstr(alias->terms, "=?");
to !strstr(alias->terms, "=?"). It also replaces some snprintf calls with
scnprintf in buffer offset calculations to prevent out-of-bounds counting.

> diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
> index 23337d2fa281..ca0ceb0623ca 100644
> --- a/tools/perf/util/pmu.c
> +++ b/tools/perf/util/pmu.c

[ ... ]

> @@ -2237,13 +2241,13 @@ int perf_pmu__for_each_event(struct perf_pmu *pmu, bool skip_duplicate_pmus,
>  		info.scale_unit = NULL;
>  		if (strlen(event->unit) || event->scale != 1.0) {
>  			info.scale_unit = buf + buf_used;
> -			buf_used += snprintf(buf + buf_used, sizeof(buf) - buf_used,
> +			buf_used += scnprintf(buf + buf_used, sizeof(buf) - buf_used,
>  					"%G%s", event->scale, event->unit) + 1;
>  		}

Can this unconditional + 1 addition to buf_used cause a regression by
triggering a stack buffer overflow in the subsequent scnprintf call?

buf is a local 1024-byte stack array, and buf_used tracks the offset as an
unsigned size_t. If format_alias() fills buf to its limit, strlen(buf) will
be 1023, causing buf_used to be initialized to 1024.

If the event has a scale or unit, the size parameter to scnprintf becomes
sizeof(buf) - buf_used, which evaluates to 1024 - 1024 = 0. scnprintf safely
writes nothing and returns 0.

However, buf_used += 0 + 1 unconditionally increments buf_used to 1025.

>  		info.desc = event->desc;
>  		info.long_desc = event->long_desc;
>  		info.encoding_desc = buf + buf_used;
> -		buf_used += snprintf(buf + buf_used, sizeof(buf) - buf_used,
> +		buf_used += scnprintf(buf + buf_used, sizeof(buf) - buf_used,
>  				"%.*s/%s/", (int)pmu_name_len, info.pmu_name, event->terms) + 1;

Does the size calculation sizeof(buf) - buf_used underflow here?

Since buf_used is now 1025, 1024 - 1025 underflows the size_t type to
SIZE_MAX. scnprintf would then be invoked with an effectively unbounded size
and an out-of-bounds pointer (buf + 1025), which could overwrite adjacent
memory on the stack.

Would it be better to bound the remaining space calculation and only increment
the offset if space actually existed, perhaps using sub_non_neg() like the
patch does earlier in format_alias()?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260426080056.16558-1-atrajeev@linux.ibm.com?part=1