From: Ian Rogers Date: Wed, 20 May 2026 19:05:36 +0000 (-0700) Subject: perf evsel: Add bounds checking to trace point raw data accessors X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9aa1ec2e1d21be400767aa9b754adbae7d8e1d32;p=thirdparty%2Fkernel%2Fstable.git perf evsel: Add bounds checking to trace point raw data accessors Prevent out-of-bounds memory reads when parsing corrupted or maliciously crafted perf.data files by introducing robust bounds validation to raw data accessors. - Add a helper out_of_bounds() to check if field offsets and sizes exceed the sample's raw_size boundary, preventing heap read overflows. - In perf_sample__rawptr(), properly resolve newer relative dynamic tracepoint fields (__rel_loc) by checking the boundaries before and after reading the dynamic field descriptor. - Byte-swap dynamic field offsets and sizes dynamically when endianness varies, ensuring cross-endian parsing is robust. Signed-off-by: Ian Rogers Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Albert Ou Cc: Alexander Shishkin Cc: Alexandre Ghiti Cc: Andi Kleen Cc: Andrew Jones Cc: Anup Patel Cc: Athira Rajeev Cc: Blake Jones Cc: Chen Ni Cc: Chun-Tse Shao Cc: Dapeng Mi Cc: Derek Foreman Cc: Dmitriy Vyukov Cc: Dr. David Alan Gilbert Cc: Howard Chu Cc: Hrishikesh Suresh Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: Krzysztof Ɓopatowski Cc: Leo Yan Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Peter Zijlstra Cc: Quan Zhou Cc: Ravi Bangoria Cc: Swapnil Sapkal Cc: Thomas Falcon Cc: Tianyou Li Cc: Yujie Liu Cc: tanze Signed-off-by: Arnaldo Carvalho de Melo --- diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c index bb48568b8101..713a250c7374 100644 --- a/tools/perf/util/evsel.c +++ b/tools/perf/util/evsel.c @@ -3700,22 +3700,63 @@ struct tep_format_field *evsel__common_field(struct evsel *evsel, const char *na return tp_format ? tep_find_common_field(tp_format, name) : NULL; } +static bool out_of_bounds(const struct tep_format_field *field, int offset, int size, u32 raw_size) +{ + if (offset < 0) { + pr_warning("Negative trace point field offset %d in %s\n", + offset, field->name); + return true; + } + if (size < 0) { + pr_warning("Negative trace point field size %d in %s\n", + size, field->name); + return true; + } + if ((u32)offset + (u32)size > raw_size) { + pr_warning("Out of bound tracepoint field (%s) offset %d size %d in %u\n", + field->name, offset, size, raw_size); + return true; + } + return false; +} + void *perf_sample__rawptr(struct perf_sample *sample, const char *name) { struct tep_format_field *field = evsel__field(sample->evsel, name); - int offset; + int offset, size; if (!field) return NULL; offset = field->offset; - + size = field->size; if (field->flags & TEP_FIELD_IS_DYNAMIC) { - offset = *(int *)(sample->raw_data + field->offset); - offset &= 0xffff; - if (tep_field_is_relative(field->flags)) + int dynamic_data; + + if (out_of_bounds(field, offset, 4, sample->raw_size)) + return NULL; + + dynamic_data = *(int *)(sample->raw_data + field->offset); + + if (sample->evsel->needs_swap) + dynamic_data = bswap_32(dynamic_data); + + offset = dynamic_data & 0xffff; + size = (dynamic_data >> 16) & 0xffff; + + if (tep_field_is_relative(field->flags)) { + /* + * Newer kernel feature: Relative offsets (__rel_loc). + * If the relative flag is set, the parsed offset is not + * absolute from the start of the record. Instead, it is + * relative to the *end* of the dynamic field descriptor + * itself. + */ offset += field->offset + field->size; + } } + if (out_of_bounds(field, offset, size, sample->raw_size)) + return NULL; return sample->raw_data + offset; } @@ -3726,6 +3767,9 @@ u64 format_field__intval(struct tep_format_field *field, struct perf_sample *sam u64 value; void *ptr = sample->raw_data + field->offset; + if (out_of_bounds(field, field->offset, field->size, sample->raw_size)) + return 0; + switch (field->size) { case 1: return *(u8 *)ptr;