From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v3 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses
Date: Mon, 04 May 2026 04:51:22 +0000 [thread overview]
Message-ID: <20260504045123.90662C2BCB8@smtp.kernel.org> (raw)
In-Reply-To: <20260504035125.1851720-4-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Breakpoint addresses (bp_addr) are not scrubbed when processing regular perf.data files or synthesizing for a pipe, defeating the ASLR protection.
- [High] The --aslr option defeats kernel ASLR obfuscation by deterministically encoding the original kernel start address into the emitted mmap.pgoff field.
- [Medium] The `skipn` function does not handle `EINTR` when reading from a pipe, which can cause spurious tool aborts.
--
commit e61cd92f35f2e374d97add5939b1983c327eae98
Author: Ian Rogers <irogers@google.com>
perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses
This commit adds an --aslr option to perf inject to remap virtual addresses
in perf.data files. This prevents virtual addresses from leaking when
transferring perf data between machines, thus weakening ASLR. Unhandled
events are dropped to conservatively avoid leaking ASLR information.
> diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
> index f174bc69cec4..6e6bf6b67956 100644
> --- a/tools/perf/builtin-inject.c
> +++ b/tools/perf/builtin-inject.c
[ ... ]
> @@ -2763,12 +2777,12 @@ int cmd_inject(int argc, const char **argv)
> /*
> * If the input is already a pipe then the features and
> * attributes don't need synthesizing, they will be present in
> * the input.
> */
> if (!data.is_pipe) {
> ret = perf_event__synthesize_for_pipe(&inject.tool,
> inject.session,
> &inject.output,
> perf_event__repipe);
Does this bypass the ASLR tool wrapper for ATTR events and leave breakpoint
addresses unscrubbed?
The aslr_tool__process_attr() function zeros out bp_addr, but this callback
only intercepts ATTR events in the main event stream. If the output is a pipe,
perf_event__synthesize_for_pipe() uses perf_event__repipe directly, bypassing
the scrubbing and exposing the original bp_addr in the output stream.
When processing regular input files, ATTR configurations are parsed from the
file header and stored in session->evlist. Does perf_session__inject_header()
write this un-scrubbed evlist directly into the output file's header, also
leaking the original bp_addr?
[ ... ]
> diff --git a/tools/perf/util/aslr.c b/tools/perf/util/aslr.c
> new file mode 100644
> index 000000000000..32548352e1e5
> --- /dev/null
> +++ b/tools/perf/util/aslr.c
[ ... ]
> +static int skipn(int fd, u64 n)
> +{
> + char buf[4096];
> + ssize_t ret;
> +
> + while (n > 0) {
> + ret = read(fd, buf, (n < (u64)sizeof(buf) ? n : (u64)sizeof(buf)));
> + if (ret <= 0)
> + return ret;
> + n -= ret;
> + }
> +
> + return 0;
> +}
Can this cause spurious tool aborts if read() is interrupted by a signal
(like SIGWINCH)?
This function explicitly checks if ret <= 0 and returns it without checking
for EINTR, which allows the error to propagate back to the event processing
loop and prematurely abort the perf inject session.
Should this utilize readn() or preadn() from the perf library which correctly
handle EINTR?
[ ... ]
> +static int aslr_tool__process_mmap(const struct perf_tool *tool,
> + union perf_event *event,
> + struct perf_sample *sample,
> + struct machine *machine)
> +{
[ ... ]
> + /* Remaps the mmap.start. */
> + new_event->mmap.start = aslr_tool__remap_mapping(aslr, thread, cpumode,
> + event->mmap.start,
> + event->mmap.len,
> + event->mmap.pgoff);
> + if (aslr->first_kernel_mapping && cpumode == PERF_RECORD_MISC_KERNEL) {
> + /*
> + * If this is the first kernel image, we need to adjust the pgoff by a
> + * similar delta.
> + */
> + new_event->mmap.pgoff = event->mmap.pgoff - event->mmap.start +
> + new_event->mmap.start;
Does this adjustment of pgoff allow recovering the original kernel ASLR base?
Since event->mmap.pgoff is typically a known public constant for the first
kernel image mapping (e.g., 0 or a fixed ELF offset), and the output trace
exposes both new_event->mmap.start and new_event->mmap.pgoff, could an
attacker trivially reverse the equation:
old_start = new_start - new_pgoff + old_pgoff
Does this mathematical leak nullify the ASLR obfuscation intended for the
kernel image?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260504035125.1851720-1-irogers@google.com?part=3
next prev parent reply other threads:[~2026-05-04 4:51 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 22:05 [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-04-24 22:05 ` [PATCH v1 2/2] perf test: Add inject ASLR test Ian Rogers
2026-04-24 22:47 ` sashiko-bot
2026-04-24 22:36 ` [PATCH v1 1/2] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses sashiko-bot
2026-04-25 2:05 ` [PATCH v2 " Ian Rogers
2026-04-25 2:05 ` [PATCH v2 2/2] perf test: Add inject ASLR test Ian Rogers
2026-05-04 3:51 ` [PATCH v3 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 3:51 ` [PATCH v3 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 3:51 ` [PATCH v3 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 3:51 ` [PATCH v3 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 4:51 ` sashiko-bot [this message]
2026-05-04 3:51 ` [PATCH v3 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 5:02 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-04 7:29 ` [PATCH v4 1/4] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-04 7:29 ` [PATCH v4 2/4] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-04 7:29 ` [PATCH v4 3/4] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-04 8:39 ` sashiko-bot
2026-05-04 7:29 ` [PATCH v4 4/4] perf test: Add inject ASLR test Ian Rogers
2026-05-04 8:48 ` sashiko-bot
2026-05-04 8:23 ` [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-06 0:45 ` [PATCH v5 0/5] " Ian Rogers
2026-05-06 0:45 ` [PATCH v5 1/5] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-06 13:22 ` Arnaldo Carvalho de Melo
2026-05-06 16:16 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 2/5] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-06 0:45 ` [PATCH v5 3/5] perf symbols: Fix map removal sequence inside dso__process_kernel_symbol() Ian Rogers
2026-05-06 1:45 ` sashiko-bot
2026-05-06 0:45 ` [PATCH v5 4/5] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-06 2:40 ` sashiko-bot
2026-05-06 18:52 ` Namhyung Kim
2026-05-06 20:01 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 5/5] perf test: Add inject ASLR test Ian Rogers
2026-05-07 15:58 ` James Clark
2026-05-07 16:17 ` Ian Rogers
2026-05-08 10:42 ` James Clark
2026-05-08 10:49 ` James Clark
2026-05-08 8:27 ` [PATCH v6 0/6] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-08 8:27 ` [PATCH v6 1/6] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-08 8:27 ` [PATCH v6 2/6] perf tool: Missing delegate_tool schedstat delegates and dont_split_sample_group Ian Rogers
2026-05-08 8:27 ` [PATCH v6 3/6] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-08 10:57 ` James Clark
2026-05-08 20:37 ` sashiko-bot
2026-05-11 7:07 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 4/6] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-08 21:22 ` sashiko-bot
2026-05-11 7:32 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 5/6] perf test: Add inject ASLR test Ian Rogers
2026-05-08 13:29 ` James Clark
2026-05-08 14:29 ` James Clark
2026-05-11 7:34 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 6/6] perf aslr: Strip sample registers Ian Rogers
2026-05-08 21:49 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260504045123.90662C2BCB8@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox