From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
James Clark <james.clark@linaro.org>,
Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Clark Williams <williams@redhat.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
Arnaldo Carvalho de Melo <acme@kernel.org>
Subject: [PATCHES v1 0/5] perf tools: Fix OOB reads, reference leaks, and overflow in sched/script/auxtrace
Date: Fri, 5 Jun 2026 09:15:09 -0300 [thread overview]
Message-ID: <20260605121515.1725549-1-acme@kernel.org> (raw)
Hi,
Five more pre-existing bugs found by sashiko-bot during AI-assisted
review of the perf-data-validation hardening series. All are
independent of that series -- they are latent bugs in surrounding code
exposed during review.
1. test_bit(cpu, cpu_bitmap) reads out of bounds in
auxtrace.c:filter_cpu() and builtin-script.c:filter_cpu() when
the CPU value is negative or >= MAX_NR_CPUS. Same class of bug
fixed in the previous series for annotate, diff, report, and
sched.
2. cpu__get_node() in cpumap.c indexes cpunode_map[] without bounds
checking against max_cpu_num. Callers like builtin-kmem pass
untrusted sample->cpu from perf.data.
3. Thread reference leaks in perf sched timehist_get_thread() --
two error paths and the success path in the idle_hist block
fail to release thread references acquired via
machine__findnew_thread() and get_idle_thread().
4. sched->max_cpu updated from sample->cpu without bounds checking
in perf_timehist__process_sample(). Later code uses max_cpu + 1
as iteration count over arrays allocated with MAX_CPUS entries.
Also caps the env->nr_cpus_online initialization.
5. register_pid() in perf sched replay has integer overflow on
32-bit (pid * sizeof wraps), strcpy into fixed 20-byte buffer
without length check, BUG_ON on allocation failure, and unsafe
realloc pattern that leaks on failure.
All require crafted or unusual perf.data inputs to trigger.
Verified with gcc and clang builds, checkpatch, and perf test.
Arnaldo Carvalho de Melo (5):
perf tools: Guard remaining test_bit calls from OOB sample CPU
perf tools: Add bounds check to cpu__get_node()
perf sched: Fix thread reference leaks in timehist_get_thread()
perf sched: Cap max_cpu at MAX_CPUS in timehist sample processing
perf sched: Fix register_pid() overflow, strcpy, and BUG_ON
tools/perf/builtin-sched.c | 56 +++++++++++++++++++++++++++++++++------------
tools/perf/builtin-script.c | 2 +-
tools/perf/util/auxtrace.c | 3 ++-
tools/perf/util/cpumap.c | 4 ++++
4 files changed, 49 insertions(+), 16 deletions(-)
Developed with AI assistance (Claude/sashiko), tagged in commits.
Thanks,
- Arnaldo
next reply other threads:[~2026-06-05 12:15 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 12:15 Arnaldo Carvalho de Melo [this message]
2026-06-05 12:15 ` [PATCH 1/5] perf tools: Guard remaining test_bit calls from OOB sample CPU Arnaldo Carvalho de Melo
2026-06-05 12:31 ` sashiko-bot
2026-06-05 12:15 ` [PATCH 2/5] perf tools: Add bounds check to cpu__get_node() Arnaldo Carvalho de Melo
2026-06-05 14:30 ` sashiko-bot
2026-06-05 14:45 ` Arnaldo Carvalho de Melo
2026-06-05 12:15 ` [PATCH 3/5] perf sched: Fix thread reference leaks in timehist_get_thread() Arnaldo Carvalho de Melo
2026-06-05 12:35 ` sashiko-bot
2026-06-05 12:15 ` [PATCH 4/5] perf sched: Cap max_cpu at MAX_CPUS in timehist sample processing Arnaldo Carvalho de Melo
2026-06-05 12:43 ` sashiko-bot
2026-06-05 14:34 ` David Ahern
2026-06-05 15:01 ` Arnaldo Carvalho de Melo
2026-06-05 12:15 ` [PATCH 5/5] perf sched: Fix register_pid() overflow, strcpy, and BUG_ON Arnaldo Carvalho de Melo
2026-06-05 12:29 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605121515.1725549-1-acme@kernel.org \
--to=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=tglx@linutronix.de \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox