Re: [PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu

Linux Perf Users
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu
Date: Sat, 06 Jun 2026 20:23:35 +0000	[thread overview]
Message-ID: <20260606202336.0F9321F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260606200601.1861227-3-acme@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing bounds validation for the untrusted `sample->cpu` index when accessing the dynamically allocated `env->cpu` array in `machine__resolve()`.
--

commit 50d04a9b8194c04adf66854548c5855bbd4c23f4
Author: Arnaldo Carvalho de Melo <acme@redhat.com>

perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu

This commit introduces a safe accessor, perf_env__get_cpu_topology(), to
prevent NULL pointer dereferences when accessing env->cpu on older
perf.data files. It also updates several topology aggregation callbacks
in builtin-stat.c to use this new accessor.

> diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
> index 7621d1f73b83a..7acca39b42ff3 100644
> --- a/tools/perf/util/env.h
> +++ b/tools/perf/util/env.h

[ ... ]

> @@ -187,6 +187,20 @@ const char *perf_env__pmu_mappings(struct perf_env *env);
>  
>  int perf_env__read_cpu_topology_map(struct perf_env *env);
>  
> +/*
> + * Safe accessor for env->cpu[] topology array.  env->cpu can be NULL when
> + * reading old-format perf.data that predates topology information —
> + * process_cpu_topology() in header.c frees it while nr_cpus_avail remains
> + * set, so callers must not index env->cpu[] without this check.
> + */
> +static inline struct cpu_topology_map *
> +perf_env__get_cpu_topology(struct perf_env *env, struct perf_cpu cpu)
> +{
> +	if (env->cpu && cpu.cpu >= 0 && cpu.cpu < env->nr_cpus_avail)
> +		return &env->cpu[cpu.cpu];
> +	return NULL;
> +}

[Severity: High]
This is a pre-existing issue, but I noticed that tools/perf/util/event.c
accesses the dynamically allocated env->cpu array without validation.

In machine__resolve():

	if (al->cpu >= 0) {
		struct perf_env *env = machine->env;

		if (env && env->cpu)
			al->socket = env->cpu[al->cpu].socket_id;
	}

Since al->cpu is derived from the untrusted perf.data file payload,
can this trigger an out-of-bounds heap read on env->cpu[] if the
file provides an artificially large CPU index?

Would it make sense to update machine__resolve() to use this new
perf_env__get_cpu_topology() helper to ensure proper validation against
env->nr_cpus_avail?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260606200601.1861227-1-acme@kernel.org?part=2

next prev parent reply	other threads:[~2026-06-06 20:23 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-06 20:05 [PATCH v1 0/7] perf tools: Fix NULL derefs, OOB reads, use-after-free, and memory leaks Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 1/7] perf mmap: Fix NULL deref in aio cleanup on alloc failure Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 2/7] perf stat: Introduce perf_env__get_cpu_topology() to guard NULL env->cpu Arnaldo Carvalho de Melo
2026-06-06 20:23   ` sashiko-bot [this message]
2026-06-06 21:47     ` Arnaldo Melo
2026-06-06 20:05 ` [PATCH 3/7] perf c2c: Fix use-after-free in he__get_c2c_hists() error path Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 4/7] perf timechart: Fix cpu2y() OOB read on untrusted CPU index Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 5/7] perf tools: Fix int16_t truncation of max_cpu_num in set_max_cpu_num() Arnaldo Carvalho de Melo
2026-06-06 20:19   ` sashiko-bot
2026-06-06 20:05 ` [PATCH 6/7] perf sched: Free callchain nodes in idle thread cleanup Arnaldo Carvalho de Melo
2026-06-06 20:05 ` [PATCH 7/7] libperf: Document struct perf_cpu int16_t ABI limitation Arnaldo Carvalho de Melo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260606202336.0F9321F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=acme@kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox