[PATCH 1/2] tracing/hist: bound full field-name construction

Next message: Pengpeng Hou: "[PATCH] scsi: qedi: bound UIO TX packet length before copying"
Previous message: Pengpeng Hou: "[PATCH] enclosure: bound sysfs link name construction"
Next in thread: Steven Rostedt: "Re: [PATCH 1/2] tracing/hist: bound full field-name construction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Mar 28 2026 - 23:11:39 EST

hist_field_name() builds a fully qualified synthetic field name in a
fixed MAX_FILTER_STR_VAL buffer using repeated strcat() calls. Long
system, event, and field names can therefore overflow the static staging
buffer.

Build the qualified name with snprintf() and fall back to the plain
field name if it does not fit.

Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
kernel/trace/trace_events_hist.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 73ea180cad55..4a27da628a71 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1362,12 +1362,12 @@ static const char *hist_field_name(struct hist_field *field,
if (field->system) {
static char full_name[MAX_FILTER_STR_VAL];

- strcat(full_name, field->system);
- strcat(full_name, ".");
- strcat(full_name, field->event_name);
- strcat(full_name, ".");
- strcat(full_name, field->name);
- field_name = full_name;
+ if (snprintf(full_name, sizeof(full_name), "%s.%s.%s",
+ field->system, field->event_name,
+ field->name) < sizeof(full_name))
+ field_name = full_name;
+ else
+ field_name = field->name;
} else
field_name = field->name;
} else if (field->flags & HIST_FIELD_FL_TIMESTAMP)
--
2.50.1 (Apple Git-155)