From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping
Date: Tue, 26 May 2026 22:01:32 +0000 [thread overview]
Message-ID: <20260526220132.E3A611F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260526211806.1193848-11-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Missing TOCTOU protection for `event->header.size` during validation on shared mmaps.
--
commit e4ad3606afbf2146d8e039237ce12985c68071fa
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
Subject: perf session: Validate HEADER_ATTR attr.size before swapping
This patch hardens PERF_RECORD_HEADER_ATTR handling against crafted perf.data
files. It validates attr.size, bounds the copy size to prevent leaking
adjacent event data, and retains the original attr.size for correct event
re-synthesis.
> diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
> index 41a3721a194dc..d8cb1f562f690 100644
> --- a/tools/perf/builtin-inject.c
> +++ b/tools/perf/builtin-inject.c
[ ... ]
> @@ -244,24 +245,34 @@ static int perf_event__repipe_attr(const struct perf_tool *tool,
> if (!inject->itrace_synth_opts.set)
> return perf_event__repipe_synth(tool, event);
>
> - if (event->header.size < sizeof(struct perf_event_header) + sizeof(u64)) {
> + if (event->header.size < sizeof(struct perf_event_header) + PERF_ATTR_SIZE_VER0) {
> pr_err("Attribute event size %u is too small\n", event->header.size);
> return -EINVAL;
> }
>
> - if (event->header.size - sizeof(event->header) < event->attr.attr.size) {
> + /*
> + * ABI0 pipe/inject events have attr.size == 0; default to
> + * PERF_ATTR_SIZE_VER0 (the ABI0 footprint) for the bounded
> + * copy and ID array position. Same pattern as
> + * perf_event__process_attr() in header.c.
> + */
> + raw_attr_size = event->attr.attr.size;
> + attr_size = raw_attr_size ?: PERF_ATTR_SIZE_VER0;
> +
> + if (raw_attr_size && (raw_attr_size < PERF_ATTR_SIZE_VER0 ||
> + raw_attr_size > event->header.size - sizeof(event->header))) {
> pr_err("Attribute event size %u is too small for attr.size %u\n",
> - event->header.size, event->attr.attr.size);
> + event->header.size, raw_attr_size);
> return -EINVAL;
> }
>
> memset(&attr, 0, sizeof(attr));
> memcpy(&attr, &event->attr.attr,
> - min_t(size_t, sizeof(attr), (size_t)event->attr.attr.size));
> + min_t(size_t, sizeof(attr), attr_size));
>
> - n_ids = event->header.size - sizeof(event->header) - event->attr.attr.size;
> + n_ids = event->header.size - sizeof(event->header) - attr_size;
[Severity: Medium]
Is it possible for event->header.size to change between the validation above
and this calculation?
Since raw_attr_size was explicitly snapshotted to prevent race conditions on
shared memory mappings, could a concurrently modified event->header.size
bypass the bounds check?
If event->header.size is shrunk concurrently after the validation, could this
cause n_ids to underflow?
> n_ids /= sizeof(u64);
> - ids = perf_record_header_attr_id(event);
> + ids = (void *)&event->attr.attr + attr_size;
>
> attr.size = sizeof(struct perf_event_attr);
> attr.sample_type &= ~PERF_SAMPLE_AUX;
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index f30e48eb3fc32..967c3d8ff12c8 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
[ ... ]
> @@ -5094,11 +5110,42 @@ int perf_event__process_attr(const struct perf_tool *tool __maybe_unused,
> union perf_event *event,
> struct evlist **pevlist)
> {
> - u32 i, n_ids;
> + struct perf_event_attr attr;
> + u32 i, n_ids, raw_attr_size;
> u64 *ids;
> + size_t attr_size, copy_size;
> struct evsel *evsel;
> struct evlist *evlist = *pevlist;
>
> + /*
> + * HEADER_ATTR event layout (pipe/inject mode):
> + *
> + * [header (8 bytes)] [attr (attr_size bytes)] [id0 id1 ... idN]
> + * |<------------------ header.size --------------------------->|
> + *
> + * attr_size varies across perf versions: VER0 = 64 bytes,
> + * current sizeof(struct perf_event_attr) = larger. A newer
> + * producer may emit a larger attr than we understand.
> + *
> + * attr.size == 0 (ABI0) means the producer didn't set it
> + * (e.g., bench/inject-buildid, older perf). Treat as VER0.
> + *
> + * Require 8-byte alignment so the u64 ID array is aligned
> + * and attr.size fits cleanly within the payload.
> + *
> + * Read attr.size once — the event may be on a shared mmap
> + * and re-reading could yield a different value.
> + */
> + raw_attr_size = event->attr.attr.size;
> + if (event->header.size < sizeof(event->header) + PERF_ATTR_SIZE_VER0 ||
> + (raw_attr_size && (raw_attr_size < PERF_ATTR_SIZE_VER0 ||
> + raw_attr_size % sizeof(u64) ||
> + raw_attr_size > event->header.size - sizeof(event->header)))) {
> + pr_err("PERF_RECORD_HEADER_ATTR: invalid attr.size %u (event size %u, min %d)\n",
> + raw_attr_size, event->header.size, PERF_ATTR_SIZE_VER0);
> + return -EINVAL;
> + }
> +
[ ... ]
> - n_ids = event->header.size - sizeof(event->header) - event->attr.attr.size;
> + n_ids = event->header.size - sizeof(event->header) - attr_size;
[Severity: Medium]
Could this calculation also suffer from the same race condition if
event->header.size is modified after the validation above?
If an attacker shrinks event->header.size concurrently, could n_ids underflow
and lead to an out-of-bounds memory read when allocating and populating the
IDs array?
> n_ids = n_ids / sizeof(u64);
> /*
> * We don't have the cpu and thread maps on the header, so
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260526211806.1193848-1-acme@kernel.org?part=10
next prev parent reply other threads:[~2026-05-26 22:01 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 21:17 [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 01/29] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 02/29] perf session: Bounds-check one_mmap event pointer in peek_event Arnaldo Carvalho de Melo
2026-05-26 22:00 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 03/29] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 04/29] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-26 22:00 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 05/29] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-26 21:49 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 06/29] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 07/29] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 08/29] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-26 21:55 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-26 22:01 ` sashiko-bot [this message]
2026-05-26 21:17 ` [PATCH 11/29] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-26 21:54 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 12/29] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-26 22:05 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 13/29] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-26 22:03 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 14/29] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 15/29] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-26 21:56 ` sashiko-bot
2026-05-26 21:17 ` [PATCH 16/29] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 17/29] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 18/29] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 19/29] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 20/29] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 21/29] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 22/29] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-26 21:17 ` [PATCH 23/29] perf session: Add byte-swap handler for PERF_RECORD_COMPRESSED2 Arnaldo Carvalho de Melo
2026-05-26 21:18 ` [PATCH 24/29] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-26 22:23 ` sashiko-bot
2026-05-26 21:18 ` [PATCH 25/29] perf session: Check for decompression buffer size overflow Arnaldo Carvalho de Melo
2026-05-26 21:18 ` [PATCH 26/29] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-26 22:40 ` sashiko-bot
2026-05-26 21:18 ` [PATCH 27/29] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-26 21:18 ` [PATCH 28/29] perf session: Snapshot event->header.size in process_user_event() Arnaldo Carvalho de Melo
2026-05-26 22:31 ` sashiko-bot
2026-05-26 21:18 ` [PATCH 29/29] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
2026-05-26 22:19 ` sashiko-bot
2026-05-27 0:50 ` Arnaldo Carvalho de Melo
2026-05-27 1:06 ` [PATCHES v4 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
-- strict thread matches above, loose matches on Subject: below --
2026-05-25 1:05 [PATCHES v3 " Arnaldo Carvalho de Melo
2026-05-25 1:05 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-25 1:56 ` sashiko-bot
2026-05-24 3:26 [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files Arnaldo Carvalho de Melo
2026-05-24 3:26 ` [PATCH 10/29] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-24 4:08 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526220132.E3A611F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox