[PATCH v10 27/29] perf evsel: Add bounds checking to trace point raw data accessors

Next message: Ian Rogers: "[PATCH v10 28/29] perf kwork: Fix address sanitizer issues"
Previous message: Ian Rogers: "[PATCH v10 25/29] perf sched: Bounds check CPU in sched switch events"
In reply to: Ian Rogers: "[PATCH v10 25/29] perf sched: Bounds check CPU in sched switch events"
Next in thread: Ian Rogers: "[PATCH v10 28/29] perf kwork: Fix address sanitizer issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ian Rogers

Date: Sat Apr 11 2026 - 22:19:16 EST

Avoid a tracepoint field accidentally reading out of bounds by
checking the size of read fits.

Signed-off-by: Ian Rogers <irogers@xxxxxxxxxx>
---
tools/perf/util/evsel.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index bb48568b8101..c3a20f13d669 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -3709,6 +3709,11 @@ void *perf_sample__rawptr(struct perf_sample *sample, const char *name)
return NULL;

offset = field->offset;
+ if ((u32)(offset + field->size) > sample->raw_size) {
+ pr_warning("Invalid trace point field offset %d for field of length %d in sample raw data of size %u\n",
+ offset, field->size, sample->raw_size);
+ return NULL;
+ }

if (field->flags & TEP_FIELD_IS_DYNAMIC) {
offset = *(int *)(sample->raw_data + field->offset);
@@ -3726,6 +3731,12 @@ u64 format_field__intval(struct tep_format_field *field, struct perf_sample *sam
u64 value;
void *ptr = sample->raw_data + field->offset;

+ if ((u32)(field->offset + field->size) > sample->raw_size) {
+ pr_warning("Invalid trace point field offset %d for field of length %d in sample raw data of size %u\n",
+ field->offset, field->size, sample->raw_size);
+ return 0;
+ }
+
switch (field->size) {
case 1:
return *(u8 *)ptr;
--
2.53.0.1213.gd9a14994de-goog