[PATCH v8 24/29] perf kmem: Add bounds checks to tracepoint read values

Next message: Ian Rogers: "[PATCH v8 09/29] perf hist: Remove evsel parameter from inc samples functions"
Previous message: Kees Cook: "Re: [PATCH V3] pstore/ftrace: Factor KASLR offset in the core kernel instruction addresses"
In reply to: Ian Rogers: "[PATCH v8 06/29] perf callchain: Don't pass evsel and sample"
Next in thread: Ian Rogers: "[PATCH v8 09/29] perf hist: Remove evsel parameter from inc samples functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ian Rogers

Date: Sat Apr 11 2026 - 03:02:36 EST

Avoid out-of-bound memory accesses by bound checking order and
migrate_type when coming from page_alloc_event and page_free_event.

Signed-off-by: Ian Rogers <irogers@xxxxxxxxxx>
---
tools/perf/builtin-kmem.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)

diff --git a/tools/perf/builtin-kmem.c b/tools/perf/builtin-kmem.c
index daf2272c7337..33585e353efe 100644
--- a/tools/perf/builtin-kmem.c
+++ b/tools/perf/builtin-kmem.c
@@ -826,6 +826,16 @@ static int evsel__process_page_alloc_event(struct perf_sample *sample)
.migrate_type = migrate_type,
};

+ if (order >= MAX_PAGE_ORDER) {
+ pr_debug("Out-of-bounds order %u\n", order);
+ return -1;
+ }
+
+ if (migrate_type >= MAX_MIGRATE_TYPES) {
+ pr_debug("Out-of-bounds migratetype %u\n", migrate_type);
+ return -1;
+ }
+
if (use_pfn)
page = perf_sample__intval(sample, "pfn");
else
@@ -892,6 +902,11 @@ static int evsel__process_page_free_event(struct perf_sample *sample)
.order = order,
};

+ if (order >= MAX_PAGE_ORDER) {
+ pr_debug("Out-of-bounds order %u\n", order);
+ return -1;
+ }
+
if (use_pfn)
page = perf_sample__intval(sample, "pfn");
else
--
2.53.0.1213.gd9a14994de-goog