From: sashiko-bot@kernel.org
To: "Ian Rogers" <irogers@google.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH v3 2/4] perf ui hists: Remove duplicated thread in popup_action
Date: Thu, 09 Jul 2026 17:10:30 +0000 [thread overview]
Message-ID: <20260709171030.9C9721F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260709165220.1411149-2-irogers@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Stack buffer overflow in `actions` and `options` arrays due to unbounded option additions.
--
--- Patch [2]: [PATCH v3 2/4] perf ui hists: Remove duplicated thread in popup_action ---
commit 72bd59b6c2f43a82a793219b81133029ab0f3b61
Author: Ian Rogers <irogers@google.com>
perf ui hists: Remove duplicated thread in popup_action
This commit removes the thread field from struct popup_action as it is
duplicated in the map_symbol structure. This ensures there is only ever
one thread associated with a popup_action.
> diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
> index 6353be9dba865..a93846b8dc885 100644
> --- a/tools/perf/ui/browsers/hists.c
> +++ b/tools/perf/ui/browsers/hists.c
[ ... ]
> @@ -3305,7 +3304,7 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
> */
> do_zoom_dso(browser, actions);
> } else if (top == &browser->hists->thread_filter) {
> - actions->thread = thread;
> + actions->ms.thread = thread;
> } else if (top == &browser->hists->socket_filter) {
> do_zoom_socket(browser, actions);
[Severity: High]
This isn't a bug introduced by this patch, but looking at how the actions
array is populated in evsel__hists_browse(), is there a potential stack buffer
overflow here?
The options and actions arrays are statically sized to 16 elements on the
stack:
#define MAX_OPTIONS 16
char *options[MAX_OPTIONS];
struct popup_action actions[MAX_OPTIONS];
Later in the same function, under the skip_annotation label, the code
unconditionally appends menu options using a sequence of calls like:
nr_options += add_annotate_type_opt(&actions[nr_options], ...);
nr_options += add_thread_opt(browser, &actions[nr_options], ...);
nr_options += add_dso_opt(browser, &actions[nr_options], ...);
Depending on the flags and data available in the perf.data file (such as
data type annotations, threads, callchains, and time sorting), couldn't this
sequence of additions append up to 19 options, exceeding the 16-element limit?
Because the options and actions arrays are allocated adjacently on the stack,
could writing an asprintf string pointer past the end of the options array
directly overwrite the fn function pointer of actions[0]?
If the user then selects the first menu option, could this result in a control
flow hijack when the program dereferences and jumps to the heap string pointer?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260709165220.1411149-1-irogers@google.com?part=2
next prev parent reply other threads:[~2026-07-09 17:10 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 23:46 [PATCH v1 1/3] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-08 23:46 ` [PATCH v1 2/3] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-08 23:46 ` [PATCH v1 3/3] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-08 23:58 ` sashiko-bot
2026-07-09 3:36 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-09 3:36 ` [PATCH v2 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 3:57 ` sashiko-bot
2026-07-09 3:37 ` [PATCH v2 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 3:52 ` sashiko-bot
2026-07-09 3:54 ` [PATCH v2 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-09 16:52 ` [PATCH v3 " Ian Rogers
2026-07-09 16:52 ` [PATCH v3 2/4] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-09 17:10 ` sashiko-bot [this message]
2026-07-09 16:52 ` [PATCH v3 3/4] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-09 17:04 ` sashiko-bot
2026-07-09 16:52 ` [PATCH v3 4/4] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-09 17:08 ` sashiko-bot
2026-07-09 17:08 ` [PATCH v3 1/4] perf ui hists: In report UI ensure thread is set sashiko-bot
2026-07-10 2:49 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow Ian Rogers
2026-07-10 2:49 ` [PATCH v4 2/9] perf ui hists: In report UI ensure thread is set Ian Rogers
2026-07-10 3:05 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 3/9] perf disasm: Fix potential NULL pointer dereference in arch__find() Ian Rogers
2026-07-10 2:59 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 4/9] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 5/9] perf ui hists: Fix memory leak in evsel__hists_browse() interactive loop Ian Rogers
2026-07-10 3:05 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 6/9] perf ui hists: Fix dso_filter reference leak and exit cleanup Ian Rogers
2026-07-10 3:07 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 7/9] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 2:49 ` [PATCH v4 8/9] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 3:09 ` sashiko-bot
2026-07-10 2:49 ` [PATCH v4 9/9] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 3:17 ` sashiko-bot
2026-07-10 3:06 ` [PATCH v4 1/9] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
2026-07-10 5:36 ` [PATCH v5 01/10] " Ian Rogers
2026-07-10 5:36 ` [PATCH v5 02/10] perf ui hists: Fix uninitialized stack memory free on pstack allocation failure Ian Rogers
2026-07-10 5:55 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 03/10] perf ui hists: Include limits.h for PATH_MAX definition Ian Rogers
2026-07-10 5:36 ` [PATCH v5 04/10] perf ui hists: Fix stack use-after-return in symbol_filter_str Ian Rogers
2026-07-10 5:59 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 05/10] perf disasm: Fix potential NULL pointer dereference and use-after-free in arch__find() Ian Rogers
2026-07-10 5:36 ` [PATCH v5 06/10] perf ui hists: Fix NULL pointer array gap in add_script_opt() Ian Rogers
2026-07-10 5:56 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 07/10] perf ui hists: In report UI ensure thread is set with reference counting Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 08/10] perf ui hists: Remove duplicated thread in popup_action Ian Rogers
2026-07-10 5:54 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 09/10] perf ui hists: Fix dso_filter reference leak and exit zoom cleanup Ian Rogers
2026-07-10 5:58 ` sashiko-bot
2026-07-10 5:36 ` [PATCH v5 10/10] perf annotate: Be robust to annotating without a thread Ian Rogers
2026-07-10 6:08 ` sashiko-bot
2026-07-10 5:54 ` [PATCH v5 01/10] perf hists browser: Increase MAX_OPTIONS to prevent stack buffer overflow sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260709171030.9C9721F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=irogers@google.com \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox