From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v3 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow
Date: Thu, 09 Jul 2026 17:08:33 +0000 [thread overview]
Message-ID: <20260709170834.52F1A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709165220.1411149-4-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [Medium] Memory leak of dynamically allocated popup menu strings in the interaction loop.
- [Medium] Missing reference counting for `dso_filter` can lead to a use-after-free.
- [Medium] Unconditional pointer increment after string allocation failure leads to a NULL pointer dereference.
--
--- Patch [4]: [PATCH v3 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow ---
commit b8ca9e63522e300d76cedfda674dbc631afbc3e2
Author: Ian Rogers <irogers@google.com>
perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow
The commit increases MAX_OPTIONS in evsel__hists_browse() from 16 to 32 to
prevent a potential stack buffer overflow when adding menu options. It also
moves the memset of options and actions earlier in the function to avoid
reading uninitialized memory on an error path.
Closes: https://lore.kernel.org/linux-perf-users/20260708235834.3FB771F00A3A@smtp.kernel.org/
Fixes: f2b487db45f2 ("perf hists browser: Fix possible memory leak")
> diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
> index a93846b8dc885..8e54c29728d1c 100644
> --- a/tools/perf/ui/browsers/hists.c
> +++ b/tools/perf/ui/browsers/hists.c
> @@ -3002,7 +3002,7 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
> struct hists *hists = evsel__hists(evsel);
> struct hist_browser *browser = perf_evsel_browser__new(evsel, hbt, env);
> struct branch_info *bi = NULL;
> -#define MAX_OPTIONS 16
> +#define MAX_OPTIONS 32
> char *options[MAX_OPTIONS];
> struct popup_action actions[MAX_OPTIONS];
> int nr_options = 0;
> @@ -3063,15 +3063,15 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
> browser->min_pcnt = min_pcnt;
> hist_browser__update_nr_entries(browser);
>
> + memset(options, 0, sizeof(options));
> + memset(actions, 0, sizeof(actions));
> +
> browser->pstack = pstack__new(3);
> if (browser->pstack == NULL)
> goto out;
>
> ui_helpline__push(helpline);
>
> - memset(options, 0, sizeof(options));
> - memset(actions, 0, sizeof(actions));
> -
> if (symbol_conf.col_width_list_str)
> perf_hpp__set_user_width(symbol_conf.col_width_list_str);
>
[Severity: Medium]
This is a pre-existing issue, but I noticed a potential memory leak in
evsel__hists_browse() later in the same function when handling the options
array.
When the interactive loop runs, the dynamically allocated strings added to
the options array via asprintf() appear to be abandoned because nr_options
is reset to 0 in each iteration without freeing them:
tools/perf/ui/browsers/hists.c:evsel__hists_browse() {
...
while (1) {
...
key = 0; // reset key
do_hotkey: // key came straight from options ui__popup_menu()
choice = nr_options = 0;
...
}
Does this cause memory to leak continuously as the user interacts with the
menu and new strings are allocated?
[Severity: Medium]
This is another pre-existing issue, but I noticed a potential missing
reference count in hists_browser__zoom_map().
The reference-counted dso struct is assigned as a raw pointer without
acquiring a reference via dso__get():
tools/perf/ui/browsers/hists.c:hists_browser__zoom_map() {
...
browser->hists->dso_filter = dso;
...
}
Could this lead to a use-after-free defect if the underlying dso is freed
while the filter remains active, since it's later cleared without calling
dso__put()?
[Severity: Medium]
This is also a pre-existing issue, but I found a sequence in add_script_opt()
that might cause a NULL pointer dereference.
If the first call to add_script_opt_2() fails (for example, due to an
asprintf allocation failure), the pointer remains unset. The function then
unconditionally increments the optstr and act pointers:
tools/perf/ui/browsers/hists.c:add_script_opt() {
...
optstr++;
act++;
...
}
If a second allocation then completes successfully, the caller increments
nr_options, but the options array would contain an uninitialized or NULL
pointer gap at its first active index.
Can this NULL pointer be subsequently dereferenced by ui__popup_menu() via
ui_browser__write_nstring()?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260709165220.1411149-1-irogers@google.com?part=4
next prev parent reply other threads:[~2026-07-09 17:08 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 23:46 [PATCH v1 1/3] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-08 23:46 ` [PATCH v1 2/3] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-08 23:46 ` [PATCH v1 3/3] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-09 3:36 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-09 3:36 ` [PATCH v2 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 3:57 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:54 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-09 16:52 ` [PATCH v3 " Ian Rogers
2026-07-09 16:52 ` [PATCH v3 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 17:10 ` sashiko-bot
2026-07-09 16:52 ` [PATCH v3 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 17:04 ` sashiko-bot
2026-07-09 16:52 ` [PATCH v3 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 17:08 ` sashiko-bot [this message]
2026-07-09 17:08 ` [PATCH v3 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-10 2:49 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-10 2:49 ` [PATCH v4 2/9] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-10 3:05 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 3/9] perf disasm: Fix potential NULL pointer dereference in arch__find() Ian Rogers
2026-07-10 2:59 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 4/9] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 5/9] perf ui hists: Fix memory leak in evsel__hists_browse() interactive loop Ian Rogers
2026-07-10 3:05 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 6/9] perf ui hists: Fix dso_filter reference leak and exit cleanup Ian Rogers
2026-07-10 3:07 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 7/9] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 2:49 ` [PATCH v4 8/9] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 9/9] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 3:17 ` sashiko-bot
2026-07-10 3:06 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
2026-07-10 5:36 ` [PATCH v5 01/10] " Ian Rogers
2026-07-10 5:36 ` [PATCH v5 02/10] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 5:55 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 03/10] perf ui hists: Include limits.h for PATH_MAX definition Ian Rogers
2026-07-10 5:36 ` [PATCH v5 04/10] perf ui hists: Fix stack use-after-return in symbol_filter_str Ian Rogers
2026-07-10 5:59 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 05/10] perf disasm: Fix potential NULL pointer dereference and use-after-free in arch__find() Ian Rogers
2026-07-10 5:36 ` [PATCH v5 06/10] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 5:56 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 07/10] perf ui hists: In report UI ensure thread is set with reference counting Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 08/10] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 09/10] perf ui hists: Fix dso_filter reference leak and exit zoom cleanup Ian Rogers
2026-07-10 5:58 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 10/10] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 6:08 ` sashiko-bot
2026-07-10 5:54 ` [PATCH v5 01/10] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260709170834.52F1A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox