From: sashiko-bot@kernel.org
To: "James Clark" <james.clark@linaro.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v4 12/19] perf test cs-etm: Skip if not root
Date: Tue, 09 Jun 2026 14:53:01 +0000 [thread overview]
Message-ID: <20260609145301.D5E931F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260609-james-cs-context-tracking-fix-v4-12-44f9fb9e5c42@linaro.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Medium] A Time-of-Check to Time-of-Use (TOCTOU) race condition exists due to an unsafe temporary file deletion and recreation pattern, allowing local attackers to modify arbitrary file timestamps or create empty files as root.
--
commit a4b1e28698440010ef2bccdf78c5fee8d8a1850d
Author: James Clark <james.clark@linaro.org>
perf test cs-etm: Skip if not root
This commit adds a root privilege check to the Arm CoreSight trace tests.
It ensures the tests are skipped gracefully with a clear message if the
user running them is not root, as root access is required for certain
testing modes.
> diff --git a/tools/perf/tests/shell/test_arm_coresight.sh b/tools/perf/tests/shell/test_arm_coresight.sh
> index 39553702c1f31..8ed2c934c87d0 100755
> --- a/tools/perf/tests/shell/test_arm_coresight.sh
> +++ b/tools/perf/tests/shell/test_arm_coresight.sh
> @@ -20,6 +20,12 @@ skip_if_no_cs_etm_event() {
>
> skip_if_no_cs_etm_event || exit 2
>
> +if [ "$(id -u)" != 0 ]; then
> + # Requires root for -C and system wide tests
> + echo "[Skip] No root permission"
> + exit 2
> +fi
> +
[Severity: Medium]
This is a pre-existing issue, but by enforcing that this script must run
as root, does this turn an existing race condition into a local privilege
escalation or denial-of-service vector?
Can we fix the temporary file handling here? Currently, the script securely
creates a temporary file but later deletes and recreates it:
tools/perf/tests/shell/test_arm_coresight.sh:record_touch_file() {
...
rm -f $file
perf record -o ${perfdata} -e cs_etm/@$1/u --per-thread \
-- taskset -c $2 touch $file > /dev/null 2>&1
}
Since the file is securely created in the world-writable /tmp directory via
mktemp, the rm -f frees the predictable name. An attacker monitoring /tmp
can race to create a symlink at this path after the deletion but before the
root user executes touch.
Would this allow an attacker to modify arbitrary file timestamps or create
empty files as root?
> perfdata=$(mktemp /tmp/__perf_test.perf.data.XXXXX)
> file=$(mktemp /tmp/temporary_file.XXXXX)
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-james-cs-context-tracking-fix-v4-0-44f9fb9e5c42@linaro.org?part=12
next prev parent reply other threads:[~2026-06-09 14:53 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 14:30 [PATCH v4 00/19] perf cs-etm: Queue context packets for frontend James Clark
2026-06-09 14:30 ` [PATCH v4 01/19] " James Clark
2026-06-09 14:46 ` sashiko-bot
2026-06-09 14:30 ` [PATCH v4 02/19] perf test: Add workload-ctl option James Clark
2026-06-09 14:40 ` sashiko-bot
2026-06-09 14:30 ` [PATCH v4 03/19] perf test: Add a workload that forces context switches James Clark
2026-06-09 14:30 ` [PATCH v4 04/19] perf test cs-etm: Test process attribution James Clark
2026-06-09 14:41 ` sashiko-bot
2026-06-09 14:30 ` [PATCH v4 05/19] perf test: Add deterministic workload James Clark
2026-06-09 14:30 ` [PATCH v4 06/19] perf test cs-etm: Replace unroll loop thread with deterministic decode test James Clark
2026-06-09 14:52 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 07/19] perf test cs-etm: Remove asm_pure_loop test James Clark
2026-06-09 14:53 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 08/19] perf test cs-etm: Replace memcpy test with raw dump stress test James Clark
2026-06-09 14:31 ` [PATCH v4 09/19] perf test: Add named_threads workload James Clark
2026-06-09 14:50 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 10/19] perf test cs-etm: Test decoding for concurrent threads test James Clark
2026-06-09 14:31 ` [PATCH v4 11/19] perf test cs-etm: Remove duplicate branch tests James Clark
2026-06-09 14:31 ` [PATCH v4 12/19] perf test cs-etm: Skip if not root James Clark
2026-06-09 14:53 ` sashiko-bot [this message]
2026-06-09 14:31 ` [PATCH v4 13/19] perf test cs-etm: Reduce snapshot size James Clark
2026-06-09 14:31 ` [PATCH v4 14/19] perf test cs-etm: Speed up basic test James Clark
2026-06-09 14:31 ` [PATCH v4 15/19] perf test cs-etm: Remove unused Coresight workloads James Clark
2026-06-09 14:31 ` [PATCH v4 16/19] perf test cs-etm: Make disassembly test use kcore James Clark
2026-06-09 14:31 ` [PATCH v4 17/19] perf test cs-etm: Add all branch instructions to test James Clark
2026-06-09 14:31 ` [PATCH v4 18/19] perf test cs-etm: Speed up disassembly test James Clark
2026-06-09 15:06 ` sashiko-bot
2026-06-09 14:31 ` [PATCH v4 19/19] perf test cs-etm: Move existing tests to coresight folder James Clark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609145301.D5E931F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=james.clark@linaro.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox