From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events
Date: Mon, 25 May 2026 01:54:45 +0000 [thread overview]
Message-ID: <20260525015446.763731F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260525010550.1100375-16-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Flawed TOCTOU mitigations in `perf_session__process_user_event` introduce a new double-fetch vulnerability and fail to protect downstream consumers.
--
commit 30d93e0987b40b97105d2394d829563792873b62
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events
This commit adds byte-swapping and bounds validation for PERF_RECORD_BPF_METADATA
events to prevent out-of-bounds reads when processing cross-endian perf.data files.
It handles writable cross-endian mappings by clamping values in place and validates
read-only native-endian mappings to skip malicious records.
> diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
> index 092fccbea8f80..95eb793026de6 100644
> --- a/tools/perf/util/session.c
> +++ b/tools/perf/util/session.c
[ ... ]
> @@ -2203,9 +2246,53 @@ static s64 perf_session__process_user_event(struct perf_session *session,
> case PERF_RECORD_FINISHED_INIT:
> err = tool->finished_init(tool, session, event);
> break;
> - case PERF_RECORD_BPF_METADATA:
> + case PERF_RECORD_BPF_METADATA: {
> + u64 nr_entries, max_entries;
> + u32 hdr_size = READ_ONCE(event->header.size);
[Severity: Medium]
Could the snapshotting of event->header.size introduce a double-fetch issue?
Since native-endian files are mapped as MAP_SHARED, it seems a concurrent
modification by a malicious file writer could inflate event->header.size in
the time window between the core bounds check and this READ_ONCE().
If hdr_size is inflated, the calculated max_entries would be larger than the
actual mmap region, which might cause the strnlen loop below to read out
of bounds.
> +
> + if (hdr_size < sizeof(event->bpf_metadata)) {
> + pr_warning("WARNING: PERF_RECORD_BPF_METADATA: header.size (%u) too small, skipping\n",
> + hdr_size);
> + err = 0;
> + break;
> + }
[ ... ]
> + /* Snapshot — event is mmap'd and could change between reads */
> + nr_entries = READ_ONCE(event->bpf_metadata.nr_entries);
> + max_entries = (hdr_size - sizeof(event->bpf_metadata)) /
> + sizeof(event->bpf_metadata.entries[0]);
> + if (nr_entries > max_entries) {
> + pr_warning("WARNING: PERF_RECORD_BPF_METADATA: nr_entries %" PRIu64 " exceeds max %" PRIu64 ", skipping\n",
> + nr_entries, max_entries);
> + err = 0;
> + break;
> + }
> +
> + for (u64 i = 0; i < nr_entries; i++) {
> + if (strnlen(event->bpf_metadata.entries[i].key,
> + BPF_METADATA_KEY_LEN) == BPF_METADATA_KEY_LEN ||
> + strnlen(event->bpf_metadata.entries[i].value,
> + BPF_METADATA_VALUE_LEN) == BPF_METADATA_VALUE_LEN) {
> + pr_warning("WARNING: PERF_RECORD_BPF_METADATA: entry %" PRIu64 " key/value not null-terminated, skipping\n", i);
> + err = 0;
> + goto out;
> + }
> + }
> +
> err = tool->bpf_metadata(tool, session, event);
[Severity: Medium]
Does passing the raw event pointer to downstream consumers bypass the
validation performed above?
Because the event is volatile, functions downstream might re-read
event->bpf_metadata.nr_entries directly from the memory mapping instead
of using the validated nr_entries snapshot.
Could this lead to an out-of-bounds read if the value changes after the check
but before the consumer uses it?
> break;
> + }
> case PERF_RECORD_SCHEDSTAT_CPU:
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260525010550.1100375-1-acme@kernel.org?part=15
next prev parent reply other threads:[~2026-05-25 1:54 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 1:05 [PATCHES v3 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 01/29] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-25 1:45 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 02/29] perf session: Bounds-check one_mmap event pointer in peek_event Arnaldo Carvalho de Melo
2026-05-25 1:41 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 03/29] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 04/29] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-25 1:52 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 05/29] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 06/29] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 07/29] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 08/29] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-25 1:56 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 11/29] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 12/29] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-25 1:40 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 14/29] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-25 1:54 ` sashiko-bot [this message]
2026-05-25 1:05 ` [PATCH 16/29] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 17/29] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-25 1:59 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 18/29] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-25 3:01 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 19/29] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 20/29] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 21/29] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 22/29] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-25 2:29 ` sashiko-bot
2026-05-25 15:38 ` Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 23/29] perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2 Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 24/29] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-25 2:17 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 25/29] perf session: Check for decompression buffer size overflow Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 26/29] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 27/29] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 29/29] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
2026-05-25 2:04 ` sashiko-bot
2026-05-25 15:41 ` Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-05-26 21:17 [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-26 21:56 ` sashiko-bot
2026-05-24 3:26 [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-24 4:13 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525015446.763731F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox