From: Ian Rogers <irogers@google.com>
To: irogers@google.com, acme@kernel.org, gmx@google.com,
james.clark@linaro.org, namhyung@kernel.org
Cc: adrian.hunter@intel.com, jolsa@kernel.org,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
mingo@redhat.com, peterz@infradead.org
Subject: [PATCH v6 6/6] perf aslr: Strip sample registers
Date: Fri, 8 May 2026 01:27:26 -0700 [thread overview]
Message-ID: <20260508082726.2795191-7-irogers@google.com> (raw)
In-Reply-To: <20260508082726.2795191-1-irogers@google.com>
When the ASLR tracking tool encounters sample events containing user
or interrupt register dumps (PERF_SAMPLE_REGS_USER /
PERF_SAMPLE_REGS_INTR), it previously dropped the entire sample event
conservatively to prevent absolute virtual memory pointers leakage
embedded inside raw register frames. If a trace session was recorded
with register collection flags enabled, this resulted in 100% sample
drop rates, and this happened by default for ARM64.
Refactor the ASLR tool to strip out obly the register dump payload
words from PERF_RECORD_SAMPLE event streams, automatically shrinking
the output sample header size. Incoming PERF_RECORD_ATTR events are
scrubbed up front to clear the register dump bit selection flags and
masks, and output sample ABI words are safely overwritten to
PERF_SAMPLE_REGS_ABI_NONE. This keeps downstream evsel parsers
perfectly synchronized while retaining full, comprehensive sample
profiles completely clear of secret register data frames.
Verification parity is established inside inject_aslr.sh via a
dedicated sorted report diff comparison validation case proving zero
starvation and absolute secrecy.
Assisted-by: Gemini-CLI:Google Gemini 3
Signed-off-by: Ian Rogers <irogers@google.com>
---
tools/perf/builtin-inject.c | 11 ++++++
tools/perf/tests/shell/inject_aslr.sh | 51 +++++++++++++++++++++++++++
tools/perf/util/aslr.c | 27 +++++++-------
3 files changed, 75 insertions(+), 14 deletions(-)
diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
index 51dcf248b653..7a17ce019657 100644
--- a/tools/perf/builtin-inject.c
+++ b/tools/perf/builtin-inject.c
@@ -2463,6 +2463,17 @@ static int __cmd_inject(struct perf_inject *inject)
}
}
+ if (inject->aslr) {
+ struct evsel *evsel;
+
+ evlist__for_each_entry(session->evlist, evsel) {
+ evsel__reset_sample_bit(evsel, REGS_USER);
+ evsel__reset_sample_bit(evsel, REGS_INTR);
+ evsel->core.attr.sample_regs_user = 0;
+ evsel->core.attr.sample_regs_intr = 0;
+ }
+ }
+
session->header.data_offset = output_data_offset;
diff --git a/tools/perf/tests/shell/inject_aslr.sh b/tools/perf/tests/shell/inject_aslr.sh
index 6363a0f69d2b..323782c3802d 100755
--- a/tools/perf/tests/shell/inject_aslr.sh
+++ b/tools/perf/tests/shell/inject_aslr.sh
@@ -446,6 +446,56 @@ test_kernel_report_aslr() {
fi
}
+test_regs_stripping() {
+ echo "Test user register stripping"
+ local rdata="${temp_dir}/perf.data.regs"
+ local rdata2="${temp_dir}/perf.data.regs.injected"
+ local rdata_clean="${temp_dir}/perf.data.regs.clean"
+
+ if ! perf record --user-regs -o "${rdata}" ${prog} > /dev/null 2>&1; then
+ echo "Skipping user registers test as recording failed (unsupported flag/platform)"
+ return
+ fi
+
+ perf inject -b -i "${rdata}" -o "${rdata_clean}"
+ perf inject -v -b --aslr -i "${rdata}" -o "${rdata2}"
+
+ local report1="${temp_dir}/report_regs1"
+ local report2="${temp_dir}/report_regs2"
+ local report1_clean="${temp_dir}/report_regs1.clean"
+ local report2_clean="${temp_dir}/report_regs2.clean"
+ local diff_file="${temp_dir}/diff_regs"
+
+ perf report -i "${rdata_clean}" --stdio > "${report1}" 2>/dev/null || true
+ perf report -i "${rdata2}" --stdio > "${report2}" 2>/dev/null || true
+
+ grep '%' "${report1}" | grep -v '^#' | grep -v -E '0x[0-9a-f]{8,}|0000000000000000' | sort > "${report1_clean}" || true
+ grep '%' "${report2}" | grep -v '^#' | grep -v -E '0x[0-9a-f]{8,}|0000000000000000' | sort > "${report2_clean}" || true
+
+ diff -u -w "${report1_clean}" "${report2_clean}" > "${diff_file}" || true
+
+ if [ ! -s "${report1_clean}" ]; then
+ echo "User registers stripping test [Failed - profile trace starved/empty]"
+ err=1
+ return
+ elif [ -s "${diff_file}" ]; then
+ echo "User registers stripping test [Failed - report parsing differs]"
+ echo "Showing first 20 lines of diff:"
+ head -n 20 "${diff_file}"
+ err=1
+ return
+ fi
+
+ local script_dump="${temp_dir}/script_regs_dump"
+ perf script -D -i "${rdata2}" > "${script_dump}" 2>/dev/null || true
+ if grep -q "PERF_SAMPLE_REGS_USER" "${script_dump}"; then
+ echo "User registers stripping test [Failed - register dumps still present]"
+ err=1
+ else
+ echo "User registers stripping test [Success]"
+ fi
+}
+
test_basic_aslr
test_pipe_aslr
test_callchain_aslr
@@ -455,6 +505,7 @@ test_pipe_out_report_aslr
test_dropped_samples
test_kernel_aslr
test_kernel_report_aslr
+test_regs_stripping
cleanup
exit $err
diff --git a/tools/perf/util/aslr.c b/tools/perf/util/aslr.c
index 09b7f2f8fb85..e5369589a733 100644
--- a/tools/perf/util/aslr.c
+++ b/tools/perf/util/aslr.c
@@ -751,18 +751,13 @@ static int aslr_tool__process_sample(const struct perf_tool *tool, union perf_ev
if (abi != PERF_SAMPLE_REGS_ABI_NONE) {
u64 nr = hweight64(evsel->core.attr.sample_regs_user);
- if (nr > max_i - i || nr > max_j - j) {
+ if (nr > max_i - i) {
ret = -EFAULT;
goto out_put;
}
- memcpy(&out_array[j], &in_array[i], nr * sizeof(u64));
i += nr;
- j += nr;
+ out_array[j-1] = PERF_SAMPLE_REGS_ABI_NONE;
}
- /* TODO: can this be less conservative? */
- pr_debug("Dropping regs user sample as possible ASLR leak\n");
- ret = 0;
- goto out_put;
}
if (sample_type & PERF_SAMPLE_STACK_USER) {
u64 size;
@@ -806,18 +801,13 @@ static int aslr_tool__process_sample(const struct perf_tool *tool, union perf_ev
if (abi != PERF_SAMPLE_REGS_ABI_NONE) {
u64 nr = hweight64(evsel->core.attr.sample_regs_intr);
- if (nr > max_i - i || nr > max_j - j) {
+ if (nr > max_i - i) {
ret = -EFAULT;
goto out_put;
}
- memcpy(&out_array[j], &in_array[i], nr * sizeof(u64));
i += nr;
- j += nr;
+ out_array[j-1] = PERF_SAMPLE_REGS_ABI_NONE;
}
- /* TODO: can this be less conservative? */
- pr_debug("Dropping interrupt register sample as possible ASLR leak\n");
- ret = 0;
- goto out_put;
}
if (sample_type & PERF_SAMPLE_PHYS_ADDR) {
COPY_U64(); /* phys_addr */
@@ -907,6 +897,15 @@ static int aslr_tool__process_attr(const struct perf_tool *tool,
if (new_event->attr.attr.type == PERF_TYPE_BREAKPOINT)
new_event->attr.attr.bp_addr = 0; /* Conservatively remove addresses. */
+ if (new_event->attr.attr.sample_type & PERF_SAMPLE_REGS_USER) {
+ new_event->attr.attr.sample_type &= ~PERF_SAMPLE_REGS_USER;
+ new_event->attr.attr.sample_regs_user = 0;
+ }
+ if (new_event->attr.attr.sample_type & PERF_SAMPLE_REGS_INTR) {
+ new_event->attr.attr.sample_type &= ~PERF_SAMPLE_REGS_INTR;
+ new_event->attr.attr.sample_regs_intr = 0;
+ }
+
return delegate->attr(delegate, new_event, pevlist);
}
--
2.54.0.563.g4f69b47b94-goog
prev parent reply other threads:[~2026-05-08 8:27 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260504072937.2103453-1-irogers@google.com>
2026-05-06 0:45 ` [PATCH v5 0/5] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-06 0:45 ` [PATCH v5 1/5] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-06 13:22 ` Arnaldo Carvalho de Melo
2026-05-06 16:16 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 2/5] perf tool: Fix missing schedstat delegates and dont_split_sample_group in delegate_tool Ian Rogers
2026-05-06 0:45 ` [PATCH v5 3/5] perf symbols: Fix map removal sequence inside dso__process_kernel_symbol() Ian Rogers
2026-05-06 0:45 ` [PATCH v5 4/5] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-06 18:52 ` Namhyung Kim
2026-05-06 20:01 ` Ian Rogers
2026-05-06 0:45 ` [PATCH v5 5/5] perf test: Add inject ASLR test Ian Rogers
2026-05-07 15:58 ` James Clark
2026-05-07 16:17 ` Ian Rogers
2026-05-08 10:42 ` James Clark
2026-05-08 10:49 ` James Clark
2026-05-08 8:27 ` [PATCH v6 0/6] perf tools: Add inject --aslr feature and prerequisite robustness fixes Ian Rogers
2026-05-08 8:27 ` [PATCH v6 1/6] perf sched: Add missing mmap2 handler in timehist Ian Rogers
2026-05-08 8:27 ` [PATCH v6 2/6] perf tool: Missing delegate_tool schedstat delegates and dont_split_sample_group Ian Rogers
2026-05-08 8:27 ` [PATCH v6 3/6] perf maps: Add maps__mutate_mapping Ian Rogers
2026-05-08 10:57 ` James Clark
2026-05-11 7:07 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 4/6] perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses Ian Rogers
2026-05-11 7:32 ` Namhyung Kim
2026-05-08 8:27 ` [PATCH v6 5/6] perf test: Add inject ASLR test Ian Rogers
2026-05-08 13:29 ` James Clark
2026-05-08 14:29 ` James Clark
2026-05-11 7:34 ` Namhyung Kim
2026-05-08 8:27 ` Ian Rogers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508082726.2795191-7-irogers@google.com \
--to=irogers@google.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=gmx@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox