From: Arnaldo Carvalho de Melo Date: Wed, 6 May 2026 20:00:50 +0000 (-0300) Subject: perf session: Use bounded copy for PERF_RECORD_TIME_CONV X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=3ade633da7aa58e2a643c9eb0686c91d7dfa4f4e;p=thirdparty%2Flinux.git perf session: Use bounded copy for PERF_RECORD_TIME_CONV session->time_conv = event->time_conv copies sizeof(struct perf_record_time_conv) bytes unconditionally, but older kernels emit shorter TIME_CONV events without the time_cycles, time_mask, cap_user_time_zero, and cap_user_time_short fields. For a 32-byte event (the original format), this reads 24 bytes past the event boundary into adjacent mmap'd data. The garbage values end up in session->time_conv and can cause incorrect TSC conversion if cap_user_time_zero happens to be non-zero. Replace the struct assignment with a bounded memcpy capped at event->header.size, zeroing the remainder so extended fields default to off when absent. Reported-by: sashiko-bot@kernel.org # Running on a local machine Reviewed-by: Ian Rogers Cc: Adrian Hunter Cc: Jiri Olsa Cc: Namhyung Kim Assisted-by: Claude:claude-opus-4.6-1m Signed-off-by: Arnaldo Carvalho de Melo --- diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c index d5864e380c1bd..3f72b80aac56b 100644 --- a/tools/perf/util/session.c +++ b/tools/perf/util/session.c @@ -1897,7 +1897,14 @@ static s64 perf_session__process_user_event(struct perf_session *session, err = tool->stat_round(tool, session, event); break; case PERF_RECORD_TIME_CONV: - session->time_conv = event->time_conv; + /* + * Bounded copy: older kernels emit a shorter struct + * without time_cycles/time_mask/cap_user_time_*. + * Zero the rest so extended fields default to off. + */ + memset(&session->time_conv, 0, sizeof(session->time_conv)); + memcpy(&session->time_conv, &event->time_conv, + min((size_t)event->header.size, sizeof(session->time_conv))); err = tool->time_conv(tool, session, event); break; case PERF_RECORD_HEADER_FEATURE: