From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu
Date: Mon, 25 May 2026 01:40:05 +0000 [thread overview]
Message-ID: <20260525014006.6DDF71F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260525010550.1100375-14-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Cross-file TOCTOU vulnerability in cpu_map__from_entries() and cpu_map__from_mask() leads to out-of-bounds read.
- [High] TOCTOU double-read in cpu_map__from_mask() results in uninitialized array elements and downstream out-of-bounds accesses.
--
commit 9fea5c7d4c9b27133ef761a257813e84f9929191
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu
This commit fixes a huge allocation attempt in perf_cpu_map__empty_new()
by returning NULL when start_cpu > end_cpu. It also clamps any_cpu to a
boolean, rejects unsupported long_size values, and snapshots mmap'd
fields using READ_ONCE() to prevent TOCTOU re-reads.
> diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
> --- a/tools/perf/util/cpumap.c
> +++ b/tools/perf/util/cpumap.c
[ ... ]
> @@ -64,24 +66,27 @@ static void perf_record_cpu_map_data__read_one_mask(const struct perf_record_cpu
> }
> static struct perf_cpu_map *cpu_map__from_entries(const struct perf_record_cpu_map_data *data)
> {
> + /* Snapshot nr — data is mmap'd and could change between reads */
> + u16 nr = READ_ONCE(data->cpus_data.nr);
[Severity: High]
This is a pre-existing issue, but does this snapshot fully resolve the TOCTOU
vulnerability if the length isn't validated against the event payload bounds?
While READ_ONCE() captures the value safely, if a FUSE filesystem inflates
the length between the check in session.c and the read here in cpumap.c, the
subsequent loop might still read past the end of the event buffer or mmap
region.
Could this result in an out-of-bounds read and crash the tool?
> struct perf_cpu_map *map;
>
> - map = perf_cpu_map__empty_new(data->cpus_data.nr);
> + map = perf_cpu_map__empty_new(nr);
> if (!map)
> return NULL;
[ ... ]
> @@ -106,11 +121,14 @@ static struct perf_cpu_map *cpu_map__from_mask(const struct perf_record_cpu_map_
> return NULL;
>
> for (int i = 0, j = 0; i < mask_nr; i++) {
> - int cpus_per_i = (i * data->mask32_data.long_size * BITS_PER_BYTE);
> + int cpus_per_i = (i * long_size * BITS_PER_BYTE);
> int cpu;
>
> - perf_record_cpu_map_data__read_one_mask(data, i, local_copy);
> + perf_record_cpu_map_data__read_one_mask(data, i, local_copy, long_size);
> for_each_set_bit(cpu, local_copy, 64) {
> + /* Guard against more set bits than the first pass counted */
> + if (j >= weight)
> + break;
[Severity: High]
This isn't a bug introduced by this patch, but how does this code handle the
case where the second pass over the mmap'd mask array yields fewer set bits
than the first pass?
If the memory is altered between passes, the trailing elements of the
allocated map would retain their -1 initialization from
perf_cpu_map__empty_new(). Downstream consumers expect valid CPUs.
Could this cause perf_cpu_map__max() to return -1 and trigger 0-byte
allocations, or cause negative out-of-bounds reads in downstream arrays like
cpunode_map?
> if (cpu + cpus_per_i < INT16_MAX) {
> RC_CHK_ACCESS(map)->map[j++].cpu = cpu + cpus_per_i;
> } else {
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260525010550.1100375-1-acme@kernel.org?part=13
next prev parent reply other threads:[~2026-05-25 1:40 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 1:05 [PATCHES v3 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 01/29] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-25 1:45 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 02/29] perf session: Bounds-check one_mmap event pointer in peek_event Arnaldo Carvalho de Melo
2026-05-25 1:41 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 03/29] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 04/29] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-25 1:52 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 05/29] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 06/29] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 07/29] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 08/29] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-25 1:56 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 11/29] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 12/29] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-25 1:40 ` sashiko-bot [this message]
2026-05-25 1:05 ` [PATCH 14/29] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-25 1:54 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 16/29] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 17/29] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-25 1:59 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 18/29] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-25 3:01 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 19/29] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 20/29] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 21/29] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 22/29] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-25 2:29 ` sashiko-bot
2026-05-25 15:38 ` Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 23/29] perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2 Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 24/29] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-25 2:17 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 25/29] perf session: Check for decompression buffer size overflow Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 26/29] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 27/29] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 29/29] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
2026-05-25 2:04 ` sashiko-bot
2026-05-25 15:41 ` Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-05-26 21:17 [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-26 22:03 ` sashiko-bot
2026-05-24 3:26 [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-24 4:04 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525014006.6DDF71F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox