From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping
Date: Mon, 25 May 2026 01:56:01 +0000 [thread overview]
Message-ID: <20260525015602.030951F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260525010550.1100375-11-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Repeated reads of `event->header.size` directly from a potentially shared memory-mapped buffer (`MAP_SHARED`) allow an attacker to bypass bounds validation by concurrently shrinking the size after checks. This leads to severe integer underflows and subsequent heap buffer overflows or massive memory allocations.
--
commit 28785713230e6589c3240262dcee366a34bae636
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf session: Validate HEADER_ATTR attr.size before swapping
Harden PERF_RECORD_HEADER_ATTR handling against crafted perf.data:
- Validate attr.size: must be >= PERF_ATTR_SIZE_VER0, a multiple
of sizeof(u64), and fit within the event payload.
- Copy only min(attr.size, sizeof(struct perf_event_attr)) bytes
into a local attr, zeroing the rest so legacy files don't leak
adjacent event data into new fields.
- Keep the original attr.size so perf_event__synthesize_attr()
uses it for both allocation and ID-array placement.
> diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
> index 41a3721a194dc..d8cb1f562f690 100644
> --- a/tools/perf/builtin-inject.c
> +++ b/tools/perf/builtin-inject.c
[ ... ]
> @@ -244,24 +245,34 @@ static int perf_event__repipe_attr(const struct perf_tool *tool,
> if (!inject->itrace_synth_opts.set)
> return perf_event__repipe_synth(tool, event);
>
> - if (event->header.size < sizeof(struct perf_event_header) + sizeof(u64)) {
> + if (event->header.size < sizeof(struct perf_event_header) + PERF_ATTR_SIZE_VER0) {
> pr_err("Attribute event size %u is too small\n", event->header.size);
> return -EINVAL;
> }
>
> - if (event->header.size - sizeof(event->header) < event->attr.attr.size) {
> + /*
> + * ABI0 pipe/inject events have attr.size == 0; default to
> + * PERF_ATTR_SIZE_VER0 (the ABI0 footprint) for the bounded
> + * copy and ID array position. Same pattern as
> + * perf_event__process_attr() in header.c.
> + */
> + raw_attr_size = event->attr.attr.size;
> + attr_size = raw_attr_size ?: PERF_ATTR_SIZE_VER0;
> +
> + if (raw_attr_size && (raw_attr_size < PERF_ATTR_SIZE_VER0 ||
> + raw_attr_size > event->header.size - sizeof(event->header))) {
> pr_err("Attribute event size %u is too small for attr.size %u\n",
> - event->header.size, event->attr.attr.size);
> + event->header.size, raw_attr_size);
> return -EINVAL;
> }
>
> memset(&attr, 0, sizeof(attr));
> memcpy(&attr, &event->attr.attr,
> - min_t(size_t, sizeof(attr), (size_t)event->attr.attr.size));
> + min_t(size_t, sizeof(attr), attr_size));
>
> - n_ids = event->header.size - sizeof(event->header) - event->attr.attr.size;
> + n_ids = event->header.size - sizeof(event->header) - attr_size;
[Severity: High]
This is a pre-existing issue, but does reading event->header.size here directly
from a potentially shared memory-mapped buffer (MAP_SHARED) allow a
time-of-check to time-of-use (TOCTOU) race?
If an attacker concurrently shrinks event->header.size after the bounds
validation checks above, this calculation can severely underflow.
The underflowed n_ids is then passed to perf_event__synthesize_attr() which,
on 32-bit architectures, wraps around during the size calculation.
This results in a small memory allocation followed by a massive memcpy(),
causing a heap buffer overflow.
Should we cache event->header.size in a local variable like we did for
raw_attr_size?
> n_ids /= sizeof(u64);
> - ids = perf_record_header_attr_id(event);
> + ids = (void *)&event->attr.attr + attr_size;
>
> attr.size = sizeof(struct perf_event_attr);
> attr.sample_type &= ~PERF_SAMPLE_AUX;
[ ... ]
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index f30e48eb3fc32..967c3d8ff12c8 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
[ ... ]
> @@ -5094,11 +5110,42 @@ int perf_event__process_attr(const struct perf_tool *tool __maybe_unused,
> union perf_event *event,
> struct evlist **pevlist)
> {
> - u32 i, n_ids;
> + struct perf_event_attr attr;
> + u32 i, n_ids, raw_attr_size;
> u64 *ids;
> + size_t attr_size, copy_size;
> struct evsel *evsel;
> struct evlist *evlist = *pevlist;
>
> + /*
> + * HEADER_ATTR event layout (pipe/inject mode):
> + *
> + * [header (8 bytes)] [attr (attr_size bytes)] [id0 id1 ... idN]
> + * |<------------------ header.size --------------------------->|
> + *
> + * attr_size varies across perf versions: VER0 = 64 bytes,
> + * current sizeof(struct perf_event_attr) = larger. A newer
> + * producer may emit a larger attr than we understand.
> + *
> + * attr.size == 0 (ABI0) means the producer didn't set it
> + * (e.g., bench/inject-buildid, older perf). Treat as VER0.
> + *
> + * Require 8-byte alignment so the u64 ID array is aligned
> + * and attr.size fits cleanly within the payload.
> + *
> + * Read attr.size once — the event may be on a shared mmap
> + * and re-reading could yield a different value.
> + */
> + raw_attr_size = event->attr.attr.size;
> + if (event->header.size < sizeof(event->header) + PERF_ATTR_SIZE_VER0 ||
> + (raw_attr_size && (raw_attr_size < PERF_ATTR_SIZE_VER0 ||
> + raw_attr_size % sizeof(u64) ||
> + raw_attr_size > event->header.size - sizeof(event->header)))) {
> + pr_err("PERF_RECORD_HEADER_ATTR: invalid attr.size %u (event size %u, min %d)\n",
> + raw_attr_size, event->header.size, PERF_ATTR_SIZE_VER0);
> + return -EINVAL;
> + }
> +
> if (dump_trace)
> perf_event__fprintf_attr(event, stdout);
>
> @@ -5108,13 +5155,46 @@ int perf_event__process_attr(const struct perf_tool *tool __maybe_unused,
> return -ENOMEM;
> }
>
> - evsel = evsel__new(&event->attr.attr);
> + /*
> + * attr_size = footprint of the attr in the event — determines
> + * where the ID array starts. For ABI0, assume VER0 (64 bytes).
> + *
> + * copy_size = how much we copy into our local struct, capped at
> + * sizeof(attr) so a newer producer's larger attr doesn't
> + * overflow. Fields beyond copy_size are zeroed.
> + *
> + * Do NOT write attr_size back to the event — native-endian
> + * files use MAP_SHARED (read-only), writing would SIGSEGV.
> + * The swap path handles ABI0 in perf_event__attr_swap()
> + * which writes to the writable MAP_PRIVATE copy instead.
> + */
> + attr_size = raw_attr_size ?: PERF_ATTR_SIZE_VER0;
> + copy_size = min(attr_size, sizeof(attr));
> + memcpy(&attr, &event->attr.attr, copy_size);
> + if (copy_size < sizeof(attr))
> + memset((void *)&attr + copy_size, 0, sizeof(attr) - copy_size);
> +
> + /*
> + * Normalize ABI0: the swap path sets attr.size = VER0 on the
> + * event, but the native path leaves it as 0. Set it on the
> + * local copy so perf inject re-synthesizes with consistent
> + * layout regardless of endianness.
> + */
> + attr.size = attr_size;
> +
> + evsel = evsel__new(&attr);
> if (evsel == NULL)
> return -ENOMEM;
>
> evlist__add(evlist, evsel);
>
> - n_ids = event->header.size - sizeof(event->header) - event->attr.attr.size;
> + /*
> + * IDs occupy the remainder after header + attr. Use attr_size
> + * (not copy_size) — even if the producer's attr is larger than
> + * our struct, the IDs start after attr_size bytes in the event.
> + * Validation above guarantees attr_size <= payload size.
> + */
> + n_ids = event->header.size - sizeof(event->header) - attr_size;
[Severity: High]
This is a pre-existing issue, but can an attacker concurrently modify
event->header.size here?
Because event can point to a MAP_SHARED buffer, reading event->header.size
multiple times allows a TOCTOU race where the size is shrunk after the bounds
checks.
This would cause n_ids to severely underflow, leading to a massive
memory allocation in perf_evsel__alloc_id() and out-of-bounds reads.
Could we fix this by caching event->header.size into a local variable before
performing the initial validation?
> n_ids = n_ids / sizeof(u64);
> /*
> * We don't have the cpu and thread maps on the header, so
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260525010550.1100375-1-acme@kernel.org?part=10
next prev parent reply other threads:[~2026-05-25 1:56 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 1:05 [PATCHES v3 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 01/29] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-25 1:45 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 02/29] perf session: Bounds-check one_mmap event pointer in peek_event Arnaldo Carvalho de Melo
2026-05-25 1:41 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 03/29] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 04/29] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-25 1:52 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 05/29] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 06/29] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 07/29] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 08/29] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-25 1:56 ` sashiko-bot [this message]
2026-05-25 1:05 ` [PATCH 11/29] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 12/29] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-25 1:40 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 14/29] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-25 1:54 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 16/29] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 17/29] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-25 1:59 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 18/29] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-25 3:01 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 19/29] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 20/29] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 21/29] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 22/29] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-25 2:29 ` sashiko-bot
2026-05-25 15:38 ` Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 23/29] perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2 Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 24/29] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-25 2:17 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 25/29] perf session: Check for decompression buffer size overflow Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 26/29] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 27/29] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-25 1:05 ` [PATCH 29/29] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
2026-05-25 2:04 ` sashiko-bot
2026-05-25 15:41 ` Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-05-26 21:17 [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-26 22:01 ` sashiko-bot
2026-05-24 3:26 [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-24 4:08 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525015602.030951F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox