From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 13/13] perf cs-etm: Reject CPU IDs that would overflow signed comparison
Date: Fri, 12 Jun 2026 22:51:45 +0000 [thread overview]
Message-ID: <20260612225146.4D4371F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612222413.40791-14-acme@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Integer overflow when allocating the `metadata` array using an unvalidated user-controlled `num_cpu`, leading to a severe heap buffer overflow and arbitrary free on 32-bit systems.
--
commit 485dac05154448b657087d80bf132fafa9c32fbd
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf cs-etm: Reject CPU IDs that would overflow signed comparison
This commit validates that the CPU ID from perf.data fits within an int
before performing a signed comparison with max_cpu. This prevents an integer
overflow that could lead to an out-of-bounds access when indexing the
queue_array.
> diff --git a/tools/perf/util/cs-etm.c b/tools/perf/util/cs-etm.c
> index 5e92359f51a7c..0927b0b9c06b1 100644
> --- a/tools/perf/util/cs-etm.c
> +++ b/tools/perf/util/cs-etm.c
[ ... ]
> @@ -3468,7 +3469,13 @@ int cs_etm__process_auxtrace_info_full(union perf_event *event,
> goto err_free_metadata;
> }
>
> - if ((int) metadata[j][CS_ETM_CPU] > max_cpu)
> + /* CPU id comes from perf.data and must fit max_cpu + 1 without overflow */
> + if (metadata[j][CS_ETM_CPU] >= INT_MAX) {
> + err = -EINVAL;
> + goto err_free_metadata;
> + }
> +
[Severity: High]
This is a pre-existing issue and was not introduced by the patch under review,
but since we are looking at error paths and validation in this function, can
the allocation of the metadata array overflow on 32-bit systems?
Earlier in cs_etm__process_auxtrace_info_full(), num_cpu is extracted from
perf.data:
num_cpu = ptr[CS_PMU_TYPE_CPUS] & 0xffffffff;
metadata = zalloc(sizeof(*metadata) * num_cpu);
If a large value like 0x40000001 is provided on a 32-bit architecture, does
sizeof(*metadata) * num_cpu wrap around to a small allocation size?
If metadata is undersized, wouldn't the subsequent parsing loop write out of
bounds:
for (int j = 0; j < num_cpu; j++) {
if (ptr[i] == __perf_cs_etmv3_magic) {
metadata[j] = ...
Additionally, if we take an error path (like the one added in this patch)
and jump to err_free_metadata:
err_free_metadata:
for (int j = 0; j < num_cpu; j++)
zfree(&metadata[j]);
does this read out-of-bounds pointers from the undersized metadata array
and pass them to free()?
> + if ((int)metadata[j][CS_ETM_CPU] > max_cpu)
> max_cpu = metadata[j][CS_ETM_CPU];
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612222413.40791-1-acme@kernel.org?part=13
prev parent reply other threads:[~2026-06-12 22:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 22:23 [PATCHES v2 00/13] perf tools: Fix pre-existing bugs in symbols, dso, bpf, sched, c2c, hwmon, and cs-etm Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 01/13] perf symbols: Fix bswap copy-paste error for 32-bit ELF p_filesz Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 02/13] perf symbols: Validate p_filesz before use in filename__read_build_id() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 03/13] perf symbols: Break infinite loop on zero-filled notes in sysfs__read_build_id() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 04/13] perf dso: Fix heap overflow in dso__get_filename() on decompressed path Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 05/13] perf dso: Set error code when open() fails on uncompressed fallback path Arnaldo Carvalho de Melo
2026-06-12 22:40 ` sashiko-bot
2026-06-12 22:24 ` [PATCH 06/13] perf tools: Use snprintf() for root_dir path construction Arnaldo Carvalho de Melo
2026-06-13 0:37 ` sashiko-bot
2026-06-12 22:24 ` [PATCH 07/13] perf hwmon: Fix fd check to accept fd 0 in hwmon_pmu__describe_items() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 08/13] perf sched: Replace (void*)1 sentinel with proper runtime allocation Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 09/13] perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name() Arnaldo Carvalho de Melo
2026-06-12 22:44 ` sashiko-bot
2026-06-12 22:24 ` [PATCH 10/13] perf bpf: Reject oversized BPF metadata events that truncate header.size Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 11/13] perf bpf: Bounds-check array offsets in bpil_offs_to_addr() Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 12/13] perf c2c: Free format list entries when releasing c2c hist entries Arnaldo Carvalho de Melo
2026-06-12 22:24 ` [PATCH 13/13] perf cs-etm: Reject CPU IDs that would overflow signed comparison Arnaldo Carvalho de Melo
2026-06-12 22:51 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612225146.4D4371F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox