Re: [PATCH 10/15] perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Medium] Arbitrary memory read due to unvalidated array offsets in `bpil_offs_to_addr()` when array bits are unset
--

commit a163a7a43ee7ff41ce65cced45401ef40028fc1f
Author: Arnaldo Carvalho de Melo <acme@redhat.com>

perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name()

synthesize_bpf_prog_name() computes a pointer into the func_info array
using sub_id * info->func_info_rec_size without validating either value.
Both come from perf.data and are untrusted, so bounds checks are added
before computing the pointer offset.

> diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
> index c4594969d7677..fe6fbca508c51 100644
> --- a/tools/perf/util/bpf-event.c
> +++ b/tools/perf/util/bpf-event.c
> @@ -143,7 +143,9 @@ static int synthesize_bpf_prog_name(char *buf, int size,
>  	name_len = scnprintf(buf, size, "bpf_prog_");
>  	name_len += snprintf_hex(buf + name_len, size - name_len,
>  				 prog_tags[sub_id], BPF_TAG_SIZE);

[Severity: Medium]
This is a pre-existing issue, but does casting info->prog_tags to a pointer
and dereferencing it here allow an arbitrary memory read if a malicious
perf.data is provided?

If an attacker clears the array bit in info_linear->arrays,
bpil_offs_to_addr() will silently skip converting or validating the offset:

tools/perf/util/bpf-utils.c:bpil_offs_to_addr() {
    ...
    if ((info_linear->arrays & (1UL << i)) == 0)
        continue;
    ...
}

This leaves the raw, untrusted 64-bit value from the file intact in
info->prog_tags.

> -	if (btf) {
> +	if (btf &&
> +	    info->func_info_rec_size >= sizeof(*finfo) &&
> +	    sub_id < info->nr_func_info) {

[Severity: Medium]
This is a pre-existing issue, but does info->func_info face the same
arbitrary memory read vulnerability?

The func_infos pointer is assigned from info->func_info earlier in
synthesize_bpf_prog_name(). If its array bit is cleared in
info_linear->arrays, it retains the untrusted value.

Since info->nr_func_info is also fully attacker-controlled in this
scenario, could an attacker bypass this bounds check and read from
an arbitrary address?

Similar unvalidated pointer accesses appear to happen in
__bpf_event__print_bpf_prog_info() when it casts info->jited_func_lens
and info->jited_ksyms to pointers.

>  		finfo = func_infos + sub_id * info->func_info_rec_size;
>  		t = btf__type_by_id(btf, finfo->type_id);
>  		if (t)

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260612003444.50723-1-acme@kernel.org?part=10