perf evsel: Add bounds checking to trace point raw data accessors

Prevent out-of-bounds memory reads when parsing corrupted or maliciously crafted
perf.data files by introducing robust bounds validation to raw data accessors.

- Add a helper out_of_bounds() to check if field offsets and sizes exceed the
  sample's raw_size boundary, preventing heap read overflows.
- In perf_sample__rawptr(), properly resolve newer relative dynamic tracepoint
  fields (__rel_loc) by checking the boundaries before and after reading the
  dynamic field descriptor.
- Byte-swap dynamic field offsets and sizes dynamically when endianness varies,
  ensuring cross-endian parsing is robust.

Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Andrew Jones <ajones@ventanamicro.com>
Cc: Anup Patel <anup@brainfault.org>
Cc: Athira Rajeev <atrajeev@linux.ibm.com>
Cc: Blake Jones <blakejones@google.com>
Cc: Chen Ni <nichen@iscas.ac.cn>
Cc: Chun-Tse Shao <ctshao@google.com>
Cc: Dapeng Mi <dapeng1.mi@linux.intel.com>
Cc: Derek Foreman <derek.foreman@collabora.com>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Dr. David Alan Gilbert <linux@treblig.org>
Cc: Howard Chu <howardchu95@gmail.com>
Cc: Hrishikesh Suresh <hrishikesh123s@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@linaro.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Krzysztof Łopatowski <krzysztof.m.lopatowski@gmail.com>
Cc: Leo Yan <leo.yan@arm.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Paul Walmsley <pjw@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Quan Zhou <zhouquan@iscas.ac.cn>
Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Swapnil Sapkal <swapnil.sapkal@amd.com>
Cc: Thomas Falcon <thomas.falcon@intel.com>
Cc: Tianyou Li <tianyou.li@intel.com>
Cc: Yujie Liu <yujie.liu@intel.com>
Cc: tanze <tanze@kylinos.cn>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index bb48568b8101a9a32619d6fd05b5b4fbd4d6d46a..713a250c73740abaadacd79471c1b2eae38a818c 100644 (file)
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -3700,22 +3700,63 @@ struct tep_format_field *evsel__common_field(struct evsel *evsel, const char *na
        return tp_format ? tep_find_common_field(tp_format, name) : NULL;
 }
 
+static bool out_of_bounds(const struct tep_format_field *field, int offset, int size, u32 raw_size)
+{
+       if (offset < 0) {
+               pr_warning("Negative trace point field offset %d in %s\n",
+                          offset, field->name);
+               return true;
+       }
+       if (size < 0) {
+               pr_warning("Negative trace point field size %d in %s\n",
+                          size, field->name);
+               return true;
+       }
+       if ((u32)offset + (u32)size > raw_size) {
+               pr_warning("Out of bound tracepoint field (%s) offset %d size %d in %u\n",
+                          field->name, offset, size, raw_size);
+               return true;
+       }
+       return false;
+}
+
 void *perf_sample__rawptr(struct perf_sample *sample, const char *name)
 {
        struct tep_format_field *field = evsel__field(sample->evsel, name);
-       int offset;
+       int offset, size;
 
        if (!field)
                return NULL;
 
        offset = field->offset;
-
+       size = field->size;
        if (field->flags & TEP_FIELD_IS_DYNAMIC) {
-               offset = *(int *)(sample->raw_data + field->offset);
-               offset &= 0xffff;
-               if (tep_field_is_relative(field->flags))
+               int dynamic_data;
+
+               if (out_of_bounds(field, offset, 4, sample->raw_size))
+                       return NULL;
+
+               dynamic_data = *(int *)(sample->raw_data + field->offset);
+
+               if (sample->evsel->needs_swap)
+                       dynamic_data = bswap_32(dynamic_data);
+
+               offset = dynamic_data & 0xffff;
+               size = (dynamic_data >> 16) & 0xffff;
+
+               if (tep_field_is_relative(field->flags)) {
+                       /*
+                        * Newer kernel feature: Relative offsets (__rel_loc).
+                        * If the relative flag is set, the parsed offset is not
+                        * absolute from the start of the record. Instead, it is
+                        * relative to the *end* of the dynamic field descriptor
+                        * itself.
+                        */
                        offset += field->offset + field->size;
+               }
        }
+       if (out_of_bounds(field, offset, size, sample->raw_size))
+               return NULL;
 
        return sample->raw_data + offset;
 }
@@ -3726,6 +3767,9 @@ u64 format_field__intval(struct tep_format_field *field, struct perf_sample *sam
        u64 value;
        void *ptr = sample->raw_data + field->offset;
 
+       if (out_of_bounds(field, field->offset, field->size, sample->raw_size))
+               return 0;
+
        switch (field->size) {
        case 1:
                return *(u8 *)ptr;