From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event()
Date: Sun, 24 May 2026 04:31:08 +0000 [thread overview]
Message-ID: <20260524043108.E7F771F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260524032709.1080771-29-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [Critical] The patch attempts to fix a Time-of-Check to Time-of-Use (TOCTOU) race by snapshotting `event->header.size` into a local variable using `READ_ONCE()`, but takes the snapshot after the size has already been validated by the caller. This allows an attacker to concurrently shrink the size in shared memory, causing integer underflows in length calculations and bypassing bounds checks.
- [High] The patch leaves downstream event callbacks vulnerable to Time-of-Check to Time-of-Use (TOCTOU) attacks because it passes the original `event` pointer, allowing downstream functions to re-read loop bounds and data directly from untrusted shared memory after upstream validation.
--
commit b0c86c3be4ebfa2c805c53d8b33cdd8c93b7408a
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf session: Snapshot event->header.size in process_user_event()
This commit snapshots event->header.size into a local variable using
READ_ONCE() at function entry to mitigate Time-of-Check to Time-of-Use
(TOCTOU) issues. It then replaces various reads of event->header.size
throughout the function with the local snapshot.
> diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
> index 69eb404f805d8..d62cb21920e04 100644
> --- a/tools/perf/util/session.c
> +++ b/tools/perf/util/session.c
[ ... ]
> @@ -2378,8 +2379,8 @@ static s64 perf_session__process_user_event(struct perf_session *session,
> break;
> }
> case PERF_RECORD_STAT_CONFIG: {
> - /* Cannot underflow: perf_event__min_size[] guarantees header.size >= sizeof */
> - u64 max_nr = (event->header.size - sizeof(event->stat_config)) /
> + /* Cannot underflow: perf_event__min_size[] guarantees event_size >= sizeof */
> + u64 max_nr = (event_size - sizeof(event->stat_config)) /
[Severity: Critical]
This is a pre-existing issue, but is it safe to snapshot the size into
event_size at the start of this function after the caller has already
validated it?
If the event is read from shared memory, an attacker could concurrently
modify the size between the caller's validation and the READ_ONCE() at
function entry, causing it to shrink.
Since this new unvalidated event_size is used in later calculations, couldn't
event_size - sizeof(event->stat_config) underflow and bypass the bounds
check?
> sizeof(event->stat_config.data[0]);
>
[ ... ]
> @@ -2410,7 +2411,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
> */
> memset(&session->time_conv, 0, sizeof(session->time_conv));
> memcpy(&session->time_conv, &event->time_conv,
> - min((size_t)event->header.size, sizeof(session->time_conv)));
> + min((size_t)event_size, sizeof(session->time_conv)));
> err = tool->time_conv(tool, session, event);
[Severity: High]
This isn't a bug introduced by this patch, but does passing the original
event pointer to downstream callbacks leave them vulnerable to Time-of-Check
to Time-of-Use (TOCTOU) attacks?
Since the event points directly to untrusted shared memory, couldn't
downstream functions like tool->time_conv() re-read loop bounds or data
directly from the event, bypassing the upstream bounds validation?
> break;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260524032709.1080771-1-acme@kernel.org?part=28
next prev parent reply other threads:[~2026-05-24 4:31 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 3:26 [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 01/29] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-24 4:13 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 02/29] perf session: Bounds-check one_mmap event pointer in peek_event Arnaldo Carvalho de Melo
2026-05-24 4:03 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 03/29] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 04/29] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-24 4:06 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 05/29] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 06/29] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 07/29] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 08/29] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-24 4:05 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-24 4:08 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 11/29] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 12/29] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-24 4:08 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-24 4:04 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 14/29] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-24 4:13 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 16/29] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 17/29] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-24 4:01 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 18/29] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 19/29] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 20/29] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-24 4:37 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 21/29] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 22/29] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 23/29] perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2 Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 24/29] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-24 4:35 ` sashiko-bot
2026-05-24 3:26 ` [PATCH 25/29] perf session: Check for decompression buffer size overflow Arnaldo Carvalho de Melo
2026-05-24 3:27 ` [PATCH 26/29] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-24 6:23 ` sashiko-bot
2026-05-24 3:27 ` [PATCH 27/29] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-24 3:27 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-24 4:31 ` sashiko-bot [this message]
2026-05-24 3:27 ` [PATCH 29/29] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-05-25 1:05 [PATCHES v3 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-26 21:17 [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-26 21:18 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-26 22:31 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260524043108.E7F771F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox