From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 01/11] perf tools: Fix get_max_num() size_t underflow on empty sysfs file
Date: Mon, 08 Jun 2026 01:45:38 +0000 [thread overview]
Message-ID: <20260608014538.F087B1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608013057.1942953-2-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Heap out-of-bounds write (poison null byte) due to size_t underflow when reading empty files
--
commit 1a2f44329fa687f2b52540b18c56a66a0d4e9628
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf tools: Fix get_max_num() size_t underflow on empty sysfs file
This commit fixes a size_t underflow in get_max_num() by adding an early
return when a sysfs file is empty. Previously, reading an empty file would
result in num == 0, causing a backward scan to underflow and read
out-of-bounds memory.
> diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
> --- a/tools/perf/util/cpumap.c
> +++ b/tools/perf/util/cpumap.c
> @@ -448,6 +448,12 @@ static int get_max_num(char *path, int *max)
>
> buf[num] = '\0';
>
> + /* empty file — nothing to parse */
> + if (num == 0) {
> + err = -1;
> + goto out;
> + }
> +
[Severity: High]
This isn't a bug introduced by this patch, but while you are fixing
empty file reads here, does this same size_t underflow pattern occur in
other places that read strings?
For instance, in tools/perf/util/pmu.c:pmu_id():
if (filename__read_str(path, &str, &len) < 0)
return NULL;
str[len - 1] = 0; /* remove line feed */
If len is 0 because the identifier file is completely empty, len - 1
underflows to SIZE_MAX. Since the string is heap-allocated and returned
with a length of 0, writing to index SIZE_MAX effectively writes one byte
before the string, which corrupts the malloc chunk size metadata.
A similar pattern seems to exist in
tools/perf/util/thread.c:thread__set_comm_from_proc():
if (procfs__read_str(path, &comm, &sz) == 0) {
comm[sz - 1] = '\0';
err = thread__set_comm(thread, comm, 0);
}
Could these empty file underflows trigger similar heap corruption if the
identifier or comm files happen to be empty?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608013057.1942953-1-acme@kernel.org?part=1
next prev parent reply other threads:[~2026-06-08 1:45 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 1:30 [PATCHES v2 00/11] perf tools: Assorted fixes Arnaldo Carvalho de Melo
2026-06-08 1:30 ` [PATCH 01/11] perf tools: Fix get_max_num() size_t underflow on empty sysfs file Arnaldo Carvalho de Melo
2026-06-08 1:45 ` sashiko-bot [this message]
2026-06-08 1:30 ` [PATCH 02/11] perf tools: Use scnprintf() in cpu_map__snprint() to prevent overflow Arnaldo Carvalho de Melo
2026-06-08 1:30 ` [PATCH 03/11] perf tools: Use perf_env__get_cpu_topology() in machine__resolve() Arnaldo Carvalho de Melo
2026-06-08 1:51 ` sashiko-bot
2026-06-08 1:30 ` [PATCH 04/11] perf mmap: Fix mbind() maxnode vs bitmap allocation mismatch in aio_bind Arnaldo Carvalho de Melo
2026-06-08 1:30 ` [PATCH 05/11] perf tools: NULL bitmap pointers after bitmap_free() Arnaldo Carvalho de Melo
2026-06-08 1:45 ` sashiko-bot
2026-06-08 1:30 ` [PATCH 06/11] perf sched: Bounds-check prio before test_bit() in timehist Arnaldo Carvalho de Melo
2026-06-08 1:51 ` sashiko-bot
2026-06-08 1:30 ` [PATCH 07/11] perf sched: Fix idle-hist callchain display using wrong rb_first variant Arnaldo Carvalho de Melo
2026-06-08 1:30 ` [PATCH 08/11] perf tools: Add O_CLOEXEC to open() calls in DSO and ELF code Arnaldo Carvalho de Melo
2026-06-08 1:44 ` sashiko-bot
2026-06-08 1:30 ` [PATCH 09/11] perf bpf: Use scnprintf() in snprintf_hex() and synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
2026-06-08 1:30 ` [PATCH 10/11] perf hists: Fix snprintf() in hists__scnprintf_title() UID filter path Arnaldo Carvalho de Melo
2026-06-08 1:51 ` sashiko-bot
2026-06-08 1:30 ` [PATCH 11/11] perf tools: Use scnprintf() in build_id__snprintf() and hwmon read_events() Arnaldo Carvalho de Melo
2026-06-08 1:54 ` sashiko-bot
-- strict thread matches above, loose matches on Subject: below --
2026-06-07 23:29 [PATCHES v1 00/11] perf tools: Assorted fixes Arnaldo Carvalho de Melo
2026-06-07 23:29 ` [PATCH 01/11] perf tools: Fix get_max_num() size_t underflow on empty sysfs file Arnaldo Carvalho de Melo
2026-06-07 23:45 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608014538.F087B1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox