| From: |
| Arnaldo Carvalho de Melo <acme-AT-kernel.org> |
| To: |
| Namhyung Kim <namhyung-AT-kernel.org> |
| Subject: |
| [PATCHES v2 00/29] perf: Harden perf.data parsing against crafted/corrupted files |
| Date: |
| Sun, 24 May 2026 00:26:34 -0300 |
| Message-ID: |
| <20260524032709.1080771-1-acme@kernel.org> |
| Cc: |
| Ingo Molnar <mingo-AT-kernel.org>, Thomas Gleixner <tglx-AT-linutronix.de>, James Clark <james.clark-AT-linaro.org>, Jiri Olsa <jolsa-AT-kernel.org>, Ian Rogers <irogers-AT-google.com>, Adrian Hunter <adrian.hunter-AT-intel.com>, Clark Williams <williams-AT-redhat.com>, linux-kernel-AT-vger.kernel.org, linux-perf-users-AT-vger.kernel.org, Arnaldo Carvalho de Melo <acme-AT-kernel.org> |
| Archive-link: |
| Article |
perf.data validation and hardening (29 patches)
A crafted or corrupted perf.data file can cause out-of-bounds
reads/writes, infinite loops, heap overflows, and segfaults in perf
report, perf script, perf inject, perf timechart, and perf kwork.
This series adds defense-in-depth validation for file parsing:
- Per-event-type minimum size table, enforced before swap and
processing on both native and cross-endian paths.
- Bounds-checking the one_mmap fast path in peek_event against the
mapped region size, preventing OOB reads from crafted file_offset.
- Swap handler return values (void -> int) so handlers can propagate
errors instead of silently corrupting adjacent memory.
- Bounds checking for string fields (null-termination), array counts
(nr vs payload size), feature section sizes (vs file size), and
CPU indices (vs nr_cpus_avail / array allocation).
- ABI0 handling for perf_event_attr.size == 0 across all code paths
(swap, native, synthesize, read_event_desc), with consistent
behavior regardless of file endianness.
- READ_ONCE() snapshot of event->header.size in process_user_event()
to prevent compiler rematerialization from MAP_SHARED memory.
- Sanitizer-aware shell test: the truncated perf.data test captures
stderr and checks for ASAN/MSAN/TSAN/UBSAN markers, since sanitizer
exits use code 1 which otherwise looks like a clean error exit.
Pre-existing bugs fixed along the way:
- event_contains() macro off-by-one (checked start, not full extent)
- zstd_decompress_stream multi-iteration output.pos bug
- zstd_compress_stream_to_records: broken memcpy fallback -> return -1
+ ZSTD context reset + dst_size underflow guard
- PERF_RECORD_SWITCH sample_id_all offset wrong for non-CPU_WIDE
- cpu_map__from_range any_cpu used as count instead of boolean
- cpu_map__from_mask double-fetch heap overflow (j >= weight guard)
- kwork cpus_runtime BUG_ON with signed comparison
- perf_header__getbuffer64 EOF without errno (silent success)
- read_event_desc ABI0 sentinel (attr.size=0 -> free_event_desc early stop)
- EVENT_UPDATE MASK: missing offsetof underflow guard + pr_warning on
mask32/mask64 validation paths
Additional pre-existing issues were noticed during review and will be
addressed in follow-up series.
Testing
-------
- perf test at baseline and after the series with 300s timeout -- no
regressions detected.
- Build with both gcc and clang at every patch.
- checkpatch.pl on all 29 patches.
- perf test on aarch64 (Raspberry PI 4).
Developed with AI assistance (Claude/sashiko), tagged in commits.
Thanks,
- Arnaldo
