Linux Perf Users
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Athira Rajeev" <atrajeev@linux.ibm.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 5/9] tools/perf: process htm auxtrace events and display in perf report -D
Date: Wed, 01 Jul 2026 09:05:41 +0000	[thread overview]
Message-ID: <20260701090542.1938F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701084115.80383-6-atrajeev@linux.ibm.com>

Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
- [High] Unchecked return value of evlist__event2evsel() leads to immediate null pointer dereference.
- [High] Incorrect minimum size calculation for the auxtrace_info event allows out-of-bounds read of the priv array.
- [High] Unconditionally creates and truncates files with predictable names in the working directory, enabling data clobbering and symlink attacks.
- [High] Direct access to evsel->name without a NULL check leads to a crash when an event is unnamed.
- [Medium] Missing explicit inclusion of POSIX standard headers (<stdio.h>, <stdlib.h>, <string.h>), which breaks compilation on musl libc.
- [Medium] Metadata is improperly extracted from local evsel config instead of serialized priv array, and htm_info_fill fails to populate the payload.
--

commit 30d1cdd44c59f9d127ce163684cc99673a095817
Author: Athira Rajeev <atrajeev@linux.ibm.com>
Subject: tools/perf: process htm auxtrace events and display in perf report -D

This commit adds the htm pmu auxtrace process function for perf script -D.
It defines functions to handle PERF_RECORD_AUXTRACE_INFO records and setups
the aux data queues. It also writes the trace data to files based on node,
chip, and core indices.

> diff --git a/tools/perf/arch/powerpc/util/htm.c b/tools/perf/arch/powerpc/util/htm.c
> index cc733f45ac9b0..0e6638c02716c 100644
> --- a/tools/perf/arch/powerpc/util/htm.c
> +++ b/tools/perf/arch/powerpc/util/htm.c
> @@ -56,6 +56,7 @@ htm_recording_options(struct auxtrace_record *ar __maybe_unused,
>  		if (strstarts(pos->name, "htm")) {

[Severity: High]
Does this unconditionally dereference pos->name?

The name field of an evsel can be dynamically allocated and might be NULL
for certain parsed or synthesized events.

Can passing NULL to strstarts() (which wraps strncmp()) cause an immediate
crash? A similar unconditional access to evsel->name without a NULL check
also appears to happen in arch_perf_record__need_read().

>  			pos->needs_auxtrace_mmap = true;
>  			pos->core.attr.aux_watermark = opts->auxtrace_mmap_pages * (size_t)page_size;
> +			pos->core.attr.sample_type |= PERF_SAMPLE_RAW;
>  			break;
>  		}
>  	}

[ ... ]

> @@ -75,6 +76,8 @@ htm_info_fill(struct auxtrace_record *itr __maybe_unused,
>  		struct perf_record_auxtrace_info *auxtrace_info __maybe_unused,
>  		size_t priv_size __maybe_unused)
>  {
> +	auxtrace_info->type = PERF_AUXTRACE_POWERPC_HTM;
>  
>  	return 0;
>  }

[Severity: Medium]
Does this logic fail to serialize the hardware metadata?

Following the auxtrace standard, the hardware metadata should be serialized
into the auxtrace_info->priv array here, but it appears to be left empty.

[ ... ]

> diff --git a/tools/perf/util/powerpc-htm.c b/tools/perf/util/powerpc-htm.c
> index 5043ff41a609e..ffddf0e59fc14 100644
> --- a/tools/perf/util/powerpc-htm.c
> +++ b/tools/perf/util/powerpc-htm.c
> @@ -9,6 +9,24 @@
>  #include "session.h"
>  #include "debug.h"
>  #include <internal/xyarray.h>
> +#include <linux/string.h>
> +#include "color.h"
> +#include <inttypes.h>
> +#include "powerpc-htm.h"
> +#include <errno.h>

[Severity: Medium]
Will this break the build on musl libc systems?

The code in powerpc-htm.c heavily uses FILE, fopen, fclose, snprintf, zalloc,
and free, but does not explicitly include the required POSIX standard headers
<stdio.h> and <stdlib.h>.

[ ... ]

> +int powerpc_htm_process_auxtrace_info(union perf_event *event,
> +				  struct perf_session *session)
> +{
> +	struct perf_record_auxtrace_info *auxtrace_info = &event->auxtrace_info;
> +	struct evsel *evsel = evlist__event2evsel(session->evlist, event);
> +	u32 nodeindex, nodalchipindex, coreindexonchip;
> +	int config = (evsel->core.attr.config);

[Severity: High]
Can evlist__event2evsel() return NULL here if it fails to map the event?

If so, dereferencing it immediately for evsel->core.attr.config would lead
to a segmentation fault on crafted or corrupted perf.data files.

[Severity: Medium]
Is it correct to extract the metadata indices (nodeindex, etc.) from the local
runtime evsel config?

For synthesized auxtrace events, evlist__event2evsel() often returns the first
event in the list (which could be a dummy event), potentially yielding garbage
config values. Should these instead be read from the serialized
auxtrace_info->priv array?

> +	size_t min_sz = sizeof(u64) * POWERPC_HTM_TYPE;
> +	struct powerpc_htm *htm;
> +	int err;
> +	FILE *fp;
> +
> +	nodeindex = (config >> 4) & 0xff;
> +	nodalchipindex = (config >> 12) & 0xff;
> +	coreindexonchip = (config >> 20) & 0xff;
> +
> +	if (auxtrace_info->header.size < sizeof(struct perf_record_auxtrace_info) +
> +					min_sz)
> +		return -EINVAL;

[Severity: High]
Will min_sz evaluate to 0 because POWERPC_HTM_TYPE is 0 (the first element
in the enum)?

If so, this check will pass even for a payload with no priv elements.

[ ... ]

> +	htm->session = session;
> +	htm->machine = &session->machines.host; /* No kvm support */
> +	htm->auxtrace_type = auxtrace_info->type;
> +	htm->pmu_type = auxtrace_info->priv[POWERPC_HTM_TYPE];

[Severity: High]
Because of the size validation above passing for 0 elements, does reading
auxtrace_info->priv[POWERPC_HTM_TYPE] result in an out-of-bounds memory read
past the end of the validated event buffer?

> +
> +	htm->auxtrace.process_event = powerpc_htm_process_event;
> +	htm->auxtrace.process_auxtrace_event = powerpc_htm_process_auxtrace_event;
> +	htm->auxtrace.flush_events = powerpc_htm_flush;
> +	htm->auxtrace.free_events = powerpc_htm_free_events;
> +	htm->auxtrace.free = powerpc_htm_free;
> +	session->auxtrace = &htm->auxtrace;
> +
> +	snprintf(htm->htmbin_file, sizeof(htm->htmbin_file), "htm.bin.n%d.p%d.c%d", nodeindex, nodalchipindex, coreindexonchip);
> +	fp = fopen(htm->htmbin_file, "w");
> +	if (!fp) {
> +		pr_err("Failed to create %s: %s\n", htm->htmbin_file, strerror(errno));
> +		return -errno;
> +	}
> +	fclose(fp);

[Severity: High]
Could this enable data clobbering and symlink attacks?

By unconditionally constructing a predictable filename and opening it with "w",
this aggressively truncates any existing file in the current working
directory. An attacker could place a symlink here to truncate arbitrary files
when another user runs perf script.

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701084115.80383-1-atrajeev@linux.ibm.com?part=5

  reply	other threads:[~2026-07-01  9:05 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  8:41 [PATCH 0/9] tools/perf: Add interface to expose HTM trace data via perf Athira Rajeev
2026-07-01  8:41 ` [PATCH 1/9] tool/perf: Move auxtrace_record__init for powerpc-vpadtl as separate utility Athira Rajeev
2026-07-01  8:56   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 2/9] tools/perf: Add CONFIG_AUXTRACE support for HTM pmu on powerpc Athira Rajeev
2026-07-01  8:55   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 3/9] tools/perf: Add arch_record__collect_final_data to collect additional data before closing the event Athira Rajeev
2026-07-01  8:54   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 4/9] tools/perf: Add powerpc callback support for arch_record__collect_final_data Athira Rajeev
2026-07-01  8:55   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 5/9] tools/perf: process htm auxtrace events and display in perf report -D Athira Rajeev
2026-07-01  9:05   ` sashiko-bot [this message]
2026-07-01  8:41 ` [PATCH 6/9] perf tools powerpc: Add HTM trace data processing and decoding support Athira Rajeev
2026-07-01  9:06   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 7/9] perf tools powerpc: Add physical to logical address mapping for HTM traces Athira Rajeev
2026-07-01  9:07   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 8/9] tools/perf/powerpc: Add event name as htm of PERF_TYPE_SYNTH type to present htm samples Athira Rajeev
2026-07-01  9:12   ` sashiko-bot
2026-07-01  8:41 ` [PATCH 9/9] tools/perf/powerpc: Add logical address in decoded traces Athira Rajeev
2026-07-01  9:13   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701090542.1938F1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atrajeev@linux.ibm.com \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox