session->time_conv = event->time_conv copies sizeof(struct
perf_record_time_conv) bytes unconditionally, but older kernels
emit shorter TIME_CONV events without the time_cycles, time_mask,
cap_user_time_zero, and cap_user_time_short fields.
For a 32-byte event (the original format), this reads 24 bytes
past the event boundary into adjacent mmap'd data. The garbage
values end up in session->time_conv and can cause incorrect TSC
conversion if cap_user_time_zero happens to be non-zero.
Replace the struct assignment with a bounded memcpy capped at
event->header.size, zeroing the remainder so extended fields
default to off when absent.
Reported-by: sashiko-bot@kernel.org # Running on a local machine
Reviewed-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6-1m
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
err = tool->stat_round(tool, session, event);
break;
case PERF_RECORD_TIME_CONV:
- session->time_conv = event->time_conv;
+ /*
+ * Bounded copy: older kernels emit a shorter struct
+ * without time_cycles/time_mask/cap_user_time_*.
+ * Zero the rest so extended fields default to off.
+ */
+ memset(&session->time_conv, 0, sizeof(session->time_conv));
+ memcpy(&session->time_conv, &event->time_conv,
+ min((size_t)event->header.size, sizeof(session->time_conv)));
err = tool->time_conv(tool, session, event);
break;
case PERF_RECORD_HEADER_FEATURE:
projects / thirdparty / linux.git / commitdiff
