From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 09/13] perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name()
Date: Fri, 12 Jun 2026 22:44:25 +0000 [thread overview]
Message-ID: <20260612224426.845D81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612222413.40791-10-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Medium] `prog_tags[sub_id]` is unconditionally accessed, allowing NULL or arbitrary pointer dereferences due to `perf.data` bitmask manipulation.
--
commit 78ed4be2586d28e75e2bc2be14dcd1813163bc05
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name()
This commit adds bounds checking for func_info_rec_size and sub_id in
synthesize_bpf_prog_name() to prevent out-of-bounds reads when parsing
untrusted data from perf.data files.
> diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
> index c4594969d7677..fe6fbca508c51 100644
> --- a/tools/perf/util/bpf-event.c
> +++ b/tools/perf/util/bpf-event.c
> @@ -143,7 +143,9 @@ static int synthesize_bpf_prog_name(char *buf, int size,
> name_len = scnprintf(buf, size, "bpf_prog_");
> name_len += snprintf_hex(buf + name_len, size - name_len,
> prog_tags[sub_id], BPF_TAG_SIZE);
[Severity: Medium]
This is a pre-existing issue, but since we are actively hardening this
function against untrusted perf.data input, should we also validate prog_tags
before dereferencing it here?
If an attacker crafts a perf.data file that clears the PERF_BPIL_PROG_TAGS
bit in info_linear->arrays but leaves info->prog_tags set to an arbitrary
64-bit value, the offset translation and bounds checking in
bpil_offs_to_addr() are skipped.
Because the translation is skipped, synthesize_bpf_prog_name() retains the
untrusted value, blindly casts info->prog_tags to a pointer, and dereferences
it unconditionally via prog_tags[sub_id].
Could this lead to an arbitrary memory read or a NULL pointer dereference
crash during parsing?
> - if (btf) {
> + if (btf &&
> + info->func_info_rec_size >= sizeof(*finfo) &&
> + sub_id < info->nr_func_info) {
> finfo = func_infos + sub_id * info->func_info_rec_size;
> t = btf__type_by_id(btf, finfo->type_id);
> if (t)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612222413.40791-1-acme@kernel.org?part=9
next prev parent reply other threads:[~2026-06-12 22:44 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 22:23 [PATCHES v2 00/13] perf tools: Fix pre-existing bugs in symbols, dso, bpf, sched, c2c, hwmon, and cs-etm Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 01/13] perf symbols: Fix bswap copy-paste error for 32-bit ELF p_filesz Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 02/13] perf symbols: Validate p_filesz before use in filename__read_build_id() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 03/13] perf symbols: Break infinite loop on zero-filled notes in sysfs__read_build_id() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 04/13] perf dso: Fix heap overflow in dso__get_filename() on decompressed path Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 05/13] perf dso: Set error code when open() fails on uncompressed fallback path Arnaldo Carvalho de Melo
2026-06-12 22:40 ` sashiko-bot
2026-06-12 22:24 ` [PATCH 06/13] perf tools: Use snprintf() for root_dir path construction Arnaldo Carvalho de Melo
2026-06-13 0:37 ` sashiko-bot
2026-06-12 22:24 ` [PATCH 07/13] perf hwmon: Fix fd check to accept fd 0 in hwmon_pmu__describe_items() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 08/13] perf sched: Replace (void*)1 sentinel with proper runtime allocation Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 09/13] perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
2026-06-12 22:44 ` sashiko-bot [this message]
2026-06-12 22:24 ` [PATCH 10/13] perf bpf: Reject oversized BPF metadata events that truncate header.size Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 11/13] perf bpf: Bounds-check array offsets in bpil_offs_to_addr() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 12/13] perf c2c: Free format list entries when releasing c2c hist entries Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 13/13] perf cs-etm: Reject CPU IDs that would overflow signed comparison Arnaldo Carvalho de Melo
2026-06-12 22:51 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612224426.845D81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox