From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
James Clark <james.clark@linaro.org>,
Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Clark Williams <williams@redhat.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
Arnaldo Carvalho de Melo <acme@redhat.com>,
sashiko-bot@kernel.org,
"Claude Opus 4.6 (1M context)" <noreply@anthropic.com>
Subject: [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event()
Date: Tue, 26 May 2026 18:18:04 -0300 [thread overview]
Message-ID: <20260526211806.1193848-29-acme@kernel.org> (raw)
In-Reply-To: <20260526211806.1193848-1-acme@kernel.org>
From: Arnaldo Carvalho de Melo <acme@redhat.com>
On native-endian files, events are read from MAP_SHARED memory.
Multiple reads of event->header.size can return different values
if the file is concurrently modified, allowing an attacker to
bypass bounds checks performed on an earlier read.
Snapshot header.size into a local variable at function entry using
READ_ONCE() to prevent compiler rematerialization, and use it for
all size-dependent arithmetic within the function. This ensures
every bounds calculation uses the same value that was validated
by the reader.
Reported-by: sashiko-bot@kernel.org # Running on a local machine
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
tools/perf/util/session.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index 6de665d3c9054179..e2e821b77766dbfc 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -2230,6 +2230,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
{
struct ordered_events *oe = &session->ordered_events;
const struct perf_tool *tool = session->tool;
+ const u32 event_size = READ_ONCE(event->header.size);
struct perf_sample sample;
int fd = perf_data__fd(session->data);
s64 err;
@@ -2271,7 +2272,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
break;
case PERF_RECORD_HEADER_BUILD_ID:
if (!perf_event__check_nul(event->build_id.filename,
- (void *)event + event->header.size,
+ (void *)event + event_size,
"HEADER_BUILD_ID")) {
err = 0;
break;
@@ -2294,7 +2295,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
* place already.
*/
if (!perf_data__is_pipe(session->data))
- lseek(fd, file_offset + event->header.size, SEEK_SET);
+ lseek(fd, file_offset + event_size, SEEK_SET);
err = tool->auxtrace(tool, session, event);
break;
case PERF_RECORD_AUXTRACE_ERROR:
@@ -2304,14 +2305,14 @@ static s64 perf_session__process_user_event(struct perf_session *session,
case PERF_RECORD_THREAD_MAP: {
u64 max_nr;
- if (event->header.size < sizeof(event->thread_map)) {
+ if (event_size < sizeof(event->thread_map)) {
pr_err("PERF_RECORD_THREAD_MAP: header.size (%u) too small\n",
- event->header.size);
+ event_size);
err = -EINVAL;
break;
}
- max_nr = (event->header.size - sizeof(event->thread_map)) /
+ max_nr = (event_size - sizeof(event->thread_map)) /
sizeof(event->thread_map.entries[0]);
if (event->thread_map.nr > max_nr) {
pr_err("PERF_RECORD_THREAD_MAP: nr %" PRIu64 " exceeds max %" PRIu64 "\n",
@@ -2325,7 +2326,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
}
case PERF_RECORD_CPU_MAP: {
struct perf_record_cpu_map_data *data = &event->cpu_map.data;
- u32 payload = event->header.size - sizeof(event->header);
+ u32 payload = event_size - sizeof(event->header);
/*
* Native-endian events are mmap'd read-only, so we
@@ -2389,8 +2390,8 @@ static s64 perf_session__process_user_event(struct perf_session *session,
break;
}
case PERF_RECORD_STAT_CONFIG: {
- /* Cannot underflow: perf_event__min_size[] guarantees header.size >= sizeof */
- u64 max_nr = (event->header.size - sizeof(event->stat_config)) /
+ /* Cannot underflow: perf_event__min_size[] guarantees event_size >= sizeof */
+ u64 max_nr = (event_size - sizeof(event->stat_config)) /
sizeof(event->stat_config.data[0]);
/*
@@ -2421,7 +2422,7 @@ static s64 perf_session__process_user_event(struct perf_session *session,
*/
memset(&session->time_conv, 0, sizeof(session->time_conv));
memcpy(&session->time_conv, &event->time_conv,
- min((size_t)event->header.size, sizeof(session->time_conv)));
+ min((size_t)event_size, sizeof(session->time_conv)));
err = tool->time_conv(tool, session, event);
break;
case PERF_RECORD_HEADER_FEATURE:
@@ -2438,11 +2439,10 @@ static s64 perf_session__process_user_event(struct perf_session *session,
break;
case PERF_RECORD_BPF_METADATA: {
u64 nr_entries, max_entries;
- u32 hdr_size = READ_ONCE(event->header.size);
- if (hdr_size < sizeof(event->bpf_metadata)) {
+ if (event_size < sizeof(event->bpf_metadata)) {
pr_warning("WARNING: PERF_RECORD_BPF_METADATA: header.size (%u) too small, skipping\n",
- hdr_size);
+ event_size);
err = 0;
break;
}
@@ -2458,9 +2458,8 @@ static s64 perf_session__process_user_event(struct perf_session *session,
break;
}
- /* Snapshot — event is mmap'd and could change between reads */
nr_entries = READ_ONCE(event->bpf_metadata.nr_entries);
- max_entries = (hdr_size - sizeof(event->bpf_metadata)) /
+ max_entries = (event_size - sizeof(event->bpf_metadata)) /
sizeof(event->bpf_metadata.entries[0]);
if (nr_entries > max_entries) {
pr_warning("WARNING: PERF_RECORD_BPF_METADATA: nr_entries %" PRIu64 " exceeds max %" PRIu64 ", skipping\n",
--
2.54.0
next prev parent reply other threads:[~2026-05-26 21:19 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 21:17 [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 01/29] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 02/29] perf session: Bounds-check one_mmap event pointer in peek_event Arnaldo Carvalho de Melo
2026-05-26 22:00 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 03/29] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 04/29] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-26 22:00 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 05/29] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-26 21:49 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 06/29] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 07/29] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 08/29] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-26 21:55 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-26 22:01 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 11/29] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-26 21:54 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 12/29] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-26 22:05 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-26 22:03 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 14/29] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-26 21:56 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 16/29] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 17/29] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 18/29] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 19/29] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 20/29] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 21/29] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 22/29] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 23/29] perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2 Arnaldo Carvalho de Melo
2026-05-26 21:18 ` [PATCH 24/29] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-26 22:23 ` sashiko-bot
2026-05-26 21:18 ` [PATCH 25/29] perf session: Check for decompression buffer size overflow Arnaldo Carvalho de Melo
2026-05-26 21:18 ` [PATCH 26/29] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-26 22:40 ` sashiko-bot
2026-05-26 21:18 ` [PATCH 27/29] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-26 21:18 ` Arnaldo Carvalho de Melo [this message]
2026-05-26 22:31 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() sashiko-bot
2026-05-26 21:18 ` [PATCH 29/29] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
2026-05-26 22:19 ` sashiko-bot
2026-05-27 0:50 ` Arnaldo Carvalho de Melo
2026-05-27 1:06 ` [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-05-25 1:05 [PATCHES v3 " Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-25 2:39 ` sashiko-bot
2026-05-24 3:26 [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-24 3:27 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-24 4:31 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526211806.1193848-29-acme@kernel.org \
--to=acme@kernel.org \
--cc=acme@redhat.com \
--cc=adrian.hunter@intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=noreply@anthropic.com \
--cc=sashiko-bot@kernel.org \
--cc=tglx@linutronix.de \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox