git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Arnaldo Carvalho de Melo <acme@redhat.com>
	Sat, 2 May 2026 17:20:14 +0000 (14:20 -0300)
committer	Arnaldo Carvalho de Melo <acme@redhat.com>
	Fri, 29 May 2026 14:44:33 +0000 (11:44 -0300)
commit	2bd03e3054a4e21895e6aa20dd8a14c08e37edee
tree	9032ab53edfc47200037f183c62b9640cbd314a9	tree \| snapshot
parent	3c18544fb18b18fa824d072fc6a22e8d9f6dc070	commit \| diff

perf tools: Bounds check perf_event_attr fields against attr.size before printing

perf_event_attr__fprintf() accessed all struct fields unconditionally,
but attrs from older perf.data files or BPF-captured syscall payloads
may have a smaller size than the current struct. Fields beyond the
recorded size contain uninitialized or zero-filled data.

Add size-guarded macros (PRINT_ATTRn, PRINT_ATTRn_bf) that compare
each field's offset against attr->size before accessing it.

Guard the bitfield block (disabled, inherit, ... defer_output) with
attr_size >= 48. These bitfields share a single __u64 at offset 40,
which is within PERF_ATTR_SIZE_VER0 for validated perf.data attrs,
but BPF-captured attrs from perf trace can have a smaller size when
the tracee passes a minimal struct to sys_perf_event_open.

Also fix the BPF trace path: when perf trace intercepts
sys_perf_event_open via BPF, the program copies PERF_ATTR_SIZE_VER0
bytes when the tracee passes size=0, but leaves the size field as 0.
Set attr->size to PERF_ATTR_SIZE_VER0 in the augmented syscall
handler so the bounds checks match the actual copied size.

Reported-by: sashiko-bot@kernel.org # Running on a local machine
Reviewed-by: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6-1m
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

tools/perf/trace/beauty/perf_event_open.c		diff \| blob \| blame \| history
tools/perf/util/perf_event_attr_fprintf.c		diff \| blob \| blame \| history