Fix four issues in PERF_RECORD_AUXTRACE_ERROR handling:
1. auxtrace_error_name() takes a signed int parameter, but e->type
is __u32. A crafted value like 0xFFFFFFFF converts to -1, passes
the bounds check, and causes a negative array index. Fix by
changing the parameter to unsigned int.
2. The msg field is printed via %s without a length bound. The
min_size table only guarantees fields up to msg (offset 48), so
a truncated event has zero msg bytes within the event boundary.
Compute the available msg length from header.size, cap at
sizeof(e->msg), and use %.*s.
3. fmt >= 2 adds machine_pid and vcpu fields after msg[64]. Older
files may have fmt >= 2 but an event size that doesn't include
these fields. Add a size check in the swap handler to downgrade
fmt before the conditional field access, and a matching size
guard in the fprintf path for native-endian events (which are
mmap'd read-only and can't be modified in place).
4. python_process_auxtrace_error() had the same issues: msg was
passed to tuple_set_string() unbounded, and machine_pid/vcpu
were accessed unconditionally without checking fmt or event
size. Apply the same bounds checks.
Reported-by: sashiko-bot@kernel.org # Running on a local machine Reviewed-by: Ian Rogers <irogers@google.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6-1m Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
projects / thirdparty / linux.git / commit
