From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-dl1-f73.google.com (mail-dl1-f73.google.com [74.125.82.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4D063AFAE1
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 22:31:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.73
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778625083; cv=none; b=h0j1yhOydcK1CU3cuIFtP6TD2sYXuZmSntvyyY/im7RGZ/+D7eQMj7ZlnsbJz2lIgopYwXzdID+CutHY75iVDYQb9M2C9mTGVsF4L8bP4yTOxEQXBVy4SkeCxErrTFoVAXMqrgXW8x7Tdv6Jtrnxy0d7tZvikyGSDqNaJLhcyzw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778625083; c=relaxed/simple;
	bh=cWFkCnwmN47YEO2awp8h2PoR0LtA33YpIQGMtO8FQUc=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type; b=YRoynIjdlLLuO0JwfEMON/eZ+kcF0IdMXNd2bNiUzc4/gugBnAxGTkVb9DZtbaRafhPpc4wBdMAmZI4KAIIheRwPmgMOyde8aOssLMUKGvqzKAwfBrJ5Xf5h4VbwCE0ciz8BcjFHsKnyf+wOOAN/kPGCV/6o3x5lpdkXvUvRQqc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--irogers.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=YfTCRGR4; arc=none smtp.client-ip=74.125.82.73
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--irogers.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="YfTCRGR4"
Received: by mail-dl1-f73.google.com with SMTP id a92af1059eb24-1270dcd11c1so12141423c88.0
        for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 15:31:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1778625081; x=1779229881; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=OZrxfmN+xSdgCg4EqbHGMau9xJX3eFGD2SKGVLG+qw0=;
        b=YfTCRGR44UgePXa3aofb5HBAMw/Odx9XVPEML5AgT2oOOixHYOozw6Wiyu68G8dScv
         6P8YhFuO1VD++t7oOnvGM9IHk3k5xTiEpgtJcwilbf577vjd2N0B1BGwYjv4aJjVFOIk
         8KFkq4gVnB3kvFWmgqxaDUVYT7iS5MBPokhwmm+DX7tdqF8vA2+eiefulncl0Rgu4ANW
         dcQGqNXd3H6sZ8JHD4sui/uZRfNSbzIW4R6qEmlImQrc99SzMkbxBoUVoZAq5WHwyILZ
         3kejBztHrsFmRa759DGRwyTxXx5TX5IqB9xKv7ZcBxRfvqiAFLGTKwEoK1yDIzpIG5dR
         AsKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778625081; x=1779229881;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=OZrxfmN+xSdgCg4EqbHGMau9xJX3eFGD2SKGVLG+qw0=;
        b=cyOWXW1vODiF1rrux1k2gqu5Afr749/MO5Z6G6tFAk1lafkh6V/SZU84U9/LlVnOC5
         c28nsX3YZTyvq1J5XK18TVmSGGN6vAQxsysl534rPvlZXvMfEB66vK9PFpMmhC4WimPw
         PpRll0Fked+6GL1WFVbRT2Hm/9mEAqpWubFhN25LZCCxpqLPTobr8JPb0qJQvLrSGrbQ
         +CmkigGydGSsEUhlRvCkH8KC8WxB0lPHRKiRj49RSclUSJ5grWHrBqqXhodmrP13+x0T
         K/NQAIow6XVtxYokhni7W2SDyqccFrR3h0VU3wHPJl7nNPCkj1QYzPpYYDqxiFLDrD8y
         /V5g==
X-Forwarded-Encrypted: i=1; AFNElJ/2Pl2nsogRmv1atQdmKh63LIvNk522t6k9K1XBrFnaPyt80jRT7rf+bRci0V9uXMWBEF2obqgv147mfDU=@vger.kernel.org
X-Gm-Message-State: AOJu0YxsN2RA5lrnW2vFJD0G98syZC4x/CIQbWNN9ybA3drka+X6qWSV
	HTT+/P5kDQEs4O7dAmIUVhLpB8uQcJ/uOcKCr6Ft214qvG9eVkR+deKtxqkHu6mslQA3xP/yBwD
	dWQjq4s3fXA==
X-Received: from dlad11.prod.google.com ([2002:a05:701b:220b:b0:132:8d92:4d79])
 (user=irogers job=prod-delivery.src-stubby-dispatcher) by 2002:a05:7022:2527:b0:128:d577:dc21
 with SMTP id a92af1059eb24-1349a80df0bmr174709c88.13.1778625080515; Tue, 12
 May 2026 15:31:20 -0700 (PDT)
Date: Tue, 12 May 2026 15:29:55 -0700
In-Reply-To: <20260512223001.2952848-1-irogers@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260413041143.1736055-1-irogers@google.com> <20260512223001.2952848-1-irogers@google.com>
X-Mailer: git-send-email 2.54.0.563.g4f69b47b94-goog
Message-ID: <20260512223001.2952848-27-irogers@google.com>
Subject: [PATCH v13 26/32] perf synthetic-events: Bound check when
 synthesizing mmap2 and build_id events
From: Ian Rogers <irogers@google.com>
To: irogers@google.com, acme@kernel.org
Cc: adrian.hunter@intel.com, ajones@ventanamicro.com, ak@linux.intel.com, 
	alex@ghiti.fr, alexander.shishkin@linux.intel.com, anup@brainfault.org, 
	aou@eecs.berkeley.edu, atrajeev@linux.ibm.com, blakejones@google.com, 
	ctshao@google.com, dapeng1.mi@linux.intel.com, derek.foreman@collabora.com, 
	dvyukov@google.com, howardchu95@gmail.com, hrishikesh123s@gmail.com, 
	james.clark@linaro.org, jolsa@kernel.org, krzysztof.m.lopatowski@gmail.com, 
	leo.yan@arm.com, linux-kernel@vger.kernel.org, 
	linux-perf-users@vger.kernel.org, linux@treblig.org, mingo@redhat.com, 
	namhyung@kernel.org, nichen@iscas.ac.cn, palmer@dabbelt.com, 
	peterz@infradead.org, pjw@kernel.org, ravi.bangoria@amd.com, 
	swapnil.sapkal@amd.com, tanze@kylinos.cn, thomas.falcon@intel.com, 
	tianyou.li@intel.com, yujie.liu@intel.com, zhouquan@iscas.ac.cn
Content-Type: text/plain; charset="UTF-8"

Prompted by Sashiko code review, add bound checks when synthesize
mmap2 and build_id events to make sure the filename doesn't overflow
the event and lead to stack corruption.

Signed-off-by: Ian Rogers <irogers@google.com>
---
 tools/perf/util/synthetic-events.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/tools/perf/util/synthetic-events.c b/tools/perf/util/synthetic-events.c
index de812a2befbc..0816f893b916 100644
--- a/tools/perf/util/synthetic-events.c
+++ b/tools/perf/util/synthetic-events.c
@@ -2257,14 +2257,20 @@ int perf_event__synthesize_build_id(const struct perf_tool *tool,
 				    const char *filename)
 {
 	union perf_event ev;
-	size_t len;
+	size_t len, filename_len = strlen(filename);
 	u64 sample_type = sample->evsel ? sample->evsel->core.attr.sample_type : 0;
 	void *array = &ev;
 	int ret;
 
-	len = sizeof(ev.build_id) + strlen(filename) + 1;
+	if (filename_len >= PATH_MAX)
+		return -EINVAL;
+
+	len = sizeof(ev.build_id) + filename_len + 1;
 	len = PERF_ALIGN(len, sizeof(u64));
 
+	if (len + MAX_ID_HDR_ENTRIES * sizeof(__u64) > sizeof(ev))
+		return -E2BIG;
+
 	memset(&ev, 0, len);
 
 	ev.build_id.size = bid->size;
@@ -2303,14 +2309,21 @@ int perf_event__synthesize_mmap2_build_id(const struct perf_tool *tool,
 					  const char *filename)
 {
 	union perf_event ev;
+	size_t filename_len = strlen(filename);
 	size_t ev_len;
 	u64 sample_type = sample->evsel ? sample->evsel->core.attr.sample_type : 0;
 	void *array;
 	int ret;
 
-	ev_len = sizeof(ev.mmap2) - sizeof(ev.mmap2.filename) + strlen(filename) + 1;
+	if (filename_len >= sizeof(ev.mmap2.filename))
+		return -EINVAL;
+
+	ev_len = sizeof(ev.mmap2) - sizeof(ev.mmap2.filename) + filename_len + 1;
 	ev_len = PERF_ALIGN(ev_len, sizeof(u64));
 
+	if (ev_len + MAX_ID_HDR_ENTRIES * sizeof(__u64) > sizeof(ev))
+		return -E2BIG;
+
 	memset(&ev, 0, ev_len);
 
 	ev.mmap2.header.type = PERF_RECORD_MMAP2;
-- 
2.54.0.563.g4f69b47b94-goog