Re: [PATCH v4 0/4] perf tools: Add inject --aslr feature and prerequisite robustness fixes

[Ian Rogers]

I found a regression when testing as root, so please ignore.

Thanks,
Ian

On Mon, May 4, 2026 at 12:29 AM Ian Rogers <irogers@xxxxxxxxxx> wrote:
>
> This patch series introduces the new 'perf inject --aslr' feature to remap
> virtual memory addresses or drop physical memory event leaks when profile
> record data is shared between machines. Bundled with this feature are two
> independent, critical bug fixes inside core event dispatching tools that
> harden perf session analysis against dynamic crashes and callchain mapping
> failures.
>
> Core Feature: 'perf inject --aslr' (Patches 3 and 4)
>
> Transferring perf.data files across environments introduces a potential leak
> of virtual address footprints, weakening Address Space Layout Randomization
> (ASLR) on the originating machine. To mitigate this, we introduce the --aslr
> flag into perf inject. Unknown or unhandled events are dropped conservatively,
> while handled samples and branch loops undergo systematic virtual memory offset
> obfuscation.
>
> To ensure comprehensive memory and error-path safety, the ASLR tool implements:
> - Machine namespaces ('struct machines') to safely interleave host mappings and
>   unprivileged KVM guest virtual address mappings.
> - Resolves VMA split map failures (caused by overlap fixups during map
>   insertions) consistently by anchoring mappings on DSO and memory
>   invariants.
> - Guards against integer overflows in branch stack loops via
>   subtraction-based bounds arithmetic.
> - Prevents heap buffer overflows by computing safe word limits on
>   userspace stacks and dynamic hardware tracing (AUX) sizes.
> - Prevents key collisions/ABA lookups by correctly managing DSO
>   reference counts (dso__get/put).
> - Cleans up error paths to avoid inconsistent hashmap mappings on
>   OOM failures.
> - Optimizes performance by removing redundant hot-path memory
>   allocations.
> - Cleanly advances session readers past dropped auxtrace streams
>   using pipe-stream I/O skip helpers.
> - Scrubs breakpoint addresses (bp_addr) from output event headers
>   and dynamically synthesized events for pipes via a custom pipe
>   repipe wrapper to prevent unscrubbed address leakage.
> - Remaps kernel memory maps linearly to maintain secure base
>   obfuscation bounds.
> - Hardens guest cpumode lookups against corrupting host/guest user and
>   kernel mapping boundaries during sample fallback searches.
> - Synchronizes ksymbol map tracking invariants using precise VMA
>   offset math rather than raw addresses to prevent unique base leaks
>   on every function symbol.
> - Blocks trailing heap padding byte data leakage vectors in userspace
>   stacks and AUX tracking frames via targeted tail-word clearing.
>
> Verification is reinforced in Patch 4 with a new comprehensive POSIX shell
> suite ('inject_aslr.sh'), hardened against SIGPIPE signal exits with stream
> consuming awk loops and robust 'set -o pipefail' assertions. The suite includes
> a new dedicated scenario validating pipe stdout injection attribute stability.
>
> Prerequisite Bug Fixes (Patches 1 and 2)
>
> During development, two core event delegation issues were identified and
> resolved to prevent crashes and data-loss during analysis:
>
> 1. perf sched: 'timehist' registers standard MMAP, COMM, EXIT, and FORK stubs,
>    but completely omitted registering MMAP2 callbacks. Because modern environments
>    output maps primarily via MMAP2 frames, this caused timehist sessions to silently
>    drop shared library mappings, causing dynamic callchain symbol resolutions to
>    fail. Patch 1 corrects this by properly registering perf_event__process_mmap2.
>
> 2. perf tool: Patch 2 fixes missing copies of schedstat callbacks inside delegated
>    wrapper tools (which caused segfaults on NULL stubs) and properly initializes/copies
>    the 'dont_split_sample_group' grouping parameters to prevent stack garbage from
>    triggering silent non-leader events drops during split deliver streams.
>
> Changes since v3:
> - Feature integration: Pass a dedicated 'perf_event__aslr_repipe' callback to
>   perf_event__synthesize_for_pipe() to scrub synthesized breakpoint attributes.
> - Feature core: Loop through and scrub event evlist breakpoint attributes right
>   before writing file headers in __cmd_inject().
> - Feature core: Linearize kernel map base obfuscation and remove redundant pgoff
>   delta adjustments that leaked kernel layout calculations.
> - Feature core: Fix host/guest cpumode mappings in sample fallback lookups.
> - Feature core: Sync ksymbol tracking keys onto VMA offset invariants.
> - Feature core: Zero out trailing padding word bytes in user stacks and AUX blocks.
> - Validation suite: Add 'test_pipe_out_report_aslr' validation case.
> - Validation suite: Upgrade kernel report checks to strict sorted line-by-line diffs.
> - Style: Wrap all commit description lines to under 75 columns and fix code formatting.
>
> Ian Rogers (4):
>   perf sched: Add missing mmap2 handler in timehist
>   perf tool: Fix missing schedstat delegates and dont_split_sample_group
>     in delegate_tool
>   perf inject/aslr: Add aslr tool to remap/obfuscate virtual addresses
>   perf test: Add inject ASLR test
>
>  tools/perf/builtin-inject.c           |   52 +-
>  tools/perf/builtin-sched.c            |    1 +
>  tools/perf/tests/shell/inject_aslr.sh |  459 ++++++++++
>  tools/perf/util/Build                 |    1 +
>  tools/perf/util/aslr.c                | 1161 +++++++++++++++++++++++++
>  tools/perf/util/aslr.h                |   10 +
>  tools/perf/util/tool.c                |    6 +
>  7 files changed, 1689 insertions(+), 1 deletion(-)
>  create mode 100755 tools/perf/tests/shell/inject_aslr.sh
>  create mode 100644 tools/perf/util/aslr.c
>  create mode 100644 tools/perf/util/aslr.h
>
> --
> 2.54.0.545.g6539524ca2-goog
>