From: Peter Zijlstra <peterz@infradead.org>
Date: Fri, 6 Dec 2019 11:50:16 +0000 (+0100)
Subject: perf/x86: Fix potential out-of-bounds access
X-Git-Tag: v5.5-rc3~13^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e69a0efc0bd0e02b8327e7186fbb4a81878ea0b;p=thirdparty%2Flinux.git

perf/x86: Fix potential out-of-bounds access

UBSAN reported out-of-bound accesses for x86_pmu.event_map(), it's
arguments should be < x86_pmu.max_events. Make sure all users observe
this constraint.

Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Meelis Roos <mroos@linux.ee>
---

diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 9a89d98c55bd8..84fe1becbe26b 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1642,9 +1642,12 @@ static struct attribute_group x86_pmu_format_group __ro_after_init = {
 
 ssize_t events_sysfs_show(struct device *dev, struct device_attribute *attr, char *page)
 {
-	struct perf_pmu_events_attr *pmu_attr = \
+	struct perf_pmu_events_attr *pmu_attr =
 		container_of(attr, struct perf_pmu_events_attr, attr);
-	u64 config = x86_pmu.event_map(pmu_attr->id);
+	u64 config = 0;
+
+	if (pmu_attr->id < x86_pmu.max_events)
+		config = x86_pmu.event_map(pmu_attr->id);
 
 	/* string trumps id */
 	if (pmu_attr->event_str)
@@ -1713,6 +1716,9 @@ is_visible(struct kobject *kobj, struct attribute *attr, int idx)
 {
 	struct perf_pmu_events_attr *pmu_attr;
 
+	if (idx >= x86_pmu.max_events)
+		return 0;
+
 	pmu_attr = container_of(attr, struct perf_pmu_events_attr, attr.attr);
 	/* str trumps id */
 	return pmu_attr->event_str || x86_pmu.event_map(idx) ? attr->mode : 0;