From: Ian Rogers <irogers@google.com>
To: irogers@google.com, acme@kernel.org
Cc: adrian.hunter@intel.com, ajones@ventanamicro.com,
ak@linux.intel.com, alex@ghiti.fr,
alexander.shishkin@linux.intel.com, anup@brainfault.org,
aou@eecs.berkeley.edu, atrajeev@linux.ibm.com,
blakejones@google.com, ctshao@google.com,
dapeng1.mi@linux.intel.com, derek.foreman@collabora.com,
dvyukov@google.com, howardchu95@gmail.com,
hrishikesh123s@gmail.com, james.clark@linaro.org,
jolsa@kernel.org, krzysztof.m.lopatowski@gmail.com,
leo.yan@arm.com, linux-kernel@vger.kernel.org,
linux-perf-users@vger.kernel.org, linux@treblig.org,
mingo@redhat.com, namhyung@kernel.org, nichen@iscas.ac.cn,
palmer@dabbelt.com, peterz@infradead.org, pjw@kernel.org,
ravi.bangoria@amd.com, swapnil.sapkal@amd.com, tanze@kylinos.cn,
thomas.falcon@intel.com, tianyou.li@intel.com,
yujie.liu@intel.com, zhouquan@iscas.ac.cn
Subject: [PATCH v13 30/32] perf evsel: Add bounds checking to trace point raw data accessors
Date: Tue, 12 May 2026 15:29:59 -0700 [thread overview]
Message-ID: <20260512223001.2952848-31-irogers@google.com> (raw)
In-Reply-To: <20260512223001.2952848-1-irogers@google.com>
Avoid a tracepoint field accidentally reading out of bounds by
checking the size of read fits. This was prompted by Sashiko review
feedback about the potential. Properly compute the size for dynamic
fields using the high 16-bits.
Fix handling of dynamic tracepoint fields when endianness varies by
byte swapping the data.
Signed-off-by: Ian Rogers <irogers@google.com>
---
I suspect the int field handling should also incorporate these
changes, but I've stopped with just rawptr's (which also includes
strings) as those are the only current fields that support dynamic and
relative.
---
tools/perf/util/evsel.c | 54 +++++++++++++++++++++++++++++++++++++----
1 file changed, 49 insertions(+), 5 deletions(-)
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index bb48568b8101..713a250c7374 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -3700,22 +3700,63 @@ struct tep_format_field *evsel__common_field(struct evsel *evsel, const char *na
return tp_format ? tep_find_common_field(tp_format, name) : NULL;
}
+static bool out_of_bounds(const struct tep_format_field *field, int offset, int size, u32 raw_size)
+{
+ if (offset < 0) {
+ pr_warning("Negative trace point field offset %d in %s\n",
+ offset, field->name);
+ return true;
+ }
+ if (size < 0) {
+ pr_warning("Negative trace point field size %d in %s\n",
+ size, field->name);
+ return true;
+ }
+ if ((u32)offset + (u32)size > raw_size) {
+ pr_warning("Out of bound tracepoint field (%s) offset %d size %d in %u\n",
+ field->name, offset, size, raw_size);
+ return true;
+ }
+ return false;
+}
+
void *perf_sample__rawptr(struct perf_sample *sample, const char *name)
{
struct tep_format_field *field = evsel__field(sample->evsel, name);
- int offset;
+ int offset, size;
if (!field)
return NULL;
offset = field->offset;
-
+ size = field->size;
if (field->flags & TEP_FIELD_IS_DYNAMIC) {
- offset = *(int *)(sample->raw_data + field->offset);
- offset &= 0xffff;
- if (tep_field_is_relative(field->flags))
+ int dynamic_data;
+
+ if (out_of_bounds(field, offset, 4, sample->raw_size))
+ return NULL;
+
+ dynamic_data = *(int *)(sample->raw_data + field->offset);
+
+ if (sample->evsel->needs_swap)
+ dynamic_data = bswap_32(dynamic_data);
+
+ offset = dynamic_data & 0xffff;
+ size = (dynamic_data >> 16) & 0xffff;
+
+ if (tep_field_is_relative(field->flags)) {
+ /*
+ * Newer kernel feature: Relative offsets (__rel_loc).
+ * If the relative flag is set, the parsed offset is not
+ * absolute from the start of the record. Instead, it is
+ * relative to the *end* of the dynamic field descriptor
+ * itself.
+ */
offset += field->offset + field->size;
+ }
}
+ if (out_of_bounds(field, offset, size, sample->raw_size))
+ return NULL;
return sample->raw_data + offset;
}
@@ -3726,6 +3767,9 @@ u64 format_field__intval(struct tep_format_field *field, struct perf_sample *sam
u64 value;
void *ptr = sample->raw_data + field->offset;
+ if (out_of_bounds(field, field->offset, field->size, sample->raw_size))
+ return 0;
+
switch (field->size) {
case 1:
return *(u8 *)ptr;
--
2.54.0.563.g4f69b47b94-goog
next prev parent reply other threads:[~2026-05-12 22:31 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260413041143.1736055-1-irogers@google.com>
2026-05-12 22:29 ` [PATCH v13 00/32] perf tool: Add evsel to perf_sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 01/32] perf tool: Remove evsel from tool APIs that pass the sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 02/32] perf kvm: Don't pass evsel with sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 03/32] perf evsel: Refactor evsel tracepoint sample accessors perf_sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 04/32] perf trace: Don't pass evsel with sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 05/32] perf callchain: Don't pass evsel and sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 06/32] perf lock: Only pass sample to handlers Ian Rogers
2026-05-12 22:29 ` [PATCH v13 07/32] perf hist: Remove evsel parameter from inc samples functions Ian Rogers
2026-05-12 22:29 ` [PATCH v13 08/32] perf db-export: Remove evsel from struct export_sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 09/32] perf hist: Remove evsel from struct hist_entry_iter Ian Rogers
2026-05-12 22:29 ` [PATCH v13 10/32] perf report: Directly use sample->evsel to avoid computing from sample->id Ian Rogers
2026-05-12 22:29 ` [PATCH v13 11/32] perf annotate: Don't pass evsel to add_sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 12/32] perf inject: Don't pass evsel with sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 13/32] perf kmem: " Ian Rogers
2026-05-12 22:29 ` [PATCH v13 14/32] perf kwork: " Ian Rogers
2026-05-12 22:29 ` [PATCH v13 15/32] perf sched: " Ian Rogers
2026-05-12 22:29 ` [PATCH v13 16/32] perf timechart: " Ian Rogers
2026-05-12 22:29 ` [PATCH v13 17/32] perf trace: " Ian Rogers
2026-05-12 22:29 ` [PATCH v13 18/32] perf evlist: Try to avoid computing evsel from sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 19/32] perf script: Don't pass evsel with sample Ian Rogers
2026-05-12 22:29 ` [PATCH v13 20/32] perf s390-sample-raw: Don't pass evsel or its PMU " Ian Rogers
2026-05-12 22:29 ` [PATCH v13 21/32] perf evsel: Don't pass evsel " Ian Rogers
2026-05-12 22:29 ` [PATCH v13 22/32] perf lock: Constify trace_lock_handler variables Ian Rogers
2026-05-12 22:29 ` [PATCH v13 23/32] perf lock: Avoid segv if event is missing a callchain Ian Rogers
2026-05-12 22:29 ` [PATCH v13 24/32] perf timechart: Fix memory leaks Ian Rogers
2026-05-12 22:29 ` [PATCH v13 25/32] perf kmem: Fix memory leaks on error path and when skipping Ian Rogers
2026-05-12 22:29 ` [PATCH v13 26/32] perf synthetic-events: Bound check when synthesizing mmap2 and build_id events Ian Rogers
2026-05-12 22:29 ` [PATCH v13 27/32] perf kmem: Add bounds checks to tracepoint read values Ian Rogers
2026-05-12 22:29 ` [PATCH v13 28/32] perf sched: Bounds check CPU in sched switch events Ian Rogers
2026-05-12 22:29 ` [PATCH v13 29/32] perf timechart: Bounds check CPU Ian Rogers
2026-05-12 22:29 ` Ian Rogers [this message]
2026-05-12 22:30 ` [PATCH v13 31/32] perf kwork: Fix address sanitizer issues Ian Rogers
2026-05-12 22:30 ` [PATCH v13 32/32] perf kwork: Fix memory management of kwork_work Ian Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512223001.2952848-31-irogers@google.com \
--to=irogers@google.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ajones@ventanamicro.com \
--cc=ak@linux.intel.com \
--cc=alex@ghiti.fr \
--cc=alexander.shishkin@linux.intel.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=atrajeev@linux.ibm.com \
--cc=blakejones@google.com \
--cc=ctshao@google.com \
--cc=dapeng1.mi@linux.intel.com \
--cc=derek.foreman@collabora.com \
--cc=dvyukov@google.com \
--cc=howardchu95@gmail.com \
--cc=hrishikesh123s@gmail.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=krzysztof.m.lopatowski@gmail.com \
--cc=leo.yan@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux@treblig.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=nichen@iscas.ac.cn \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=ravi.bangoria@amd.com \
--cc=swapnil.sapkal@amd.com \
--cc=tanze@kylinos.cn \
--cc=thomas.falcon@intel.com \
--cc=tianyou.li@intel.com \
--cc=yujie.liu@intel.com \
--cc=zhouquan@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox