[PATCH 09/29] perf session: Use bounded copy for PERF_RECORD_TIME_CONV
From: Arnaldo Carvalho de Melo
Date: Tue May 26 2026 - 17:21:21 EST
From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
session->time_conv = event->time_conv copies sizeof(struct
perf_record_time_conv) bytes unconditionally, but older kernels
emit shorter TIME_CONV events without the time_cycles, time_mask,
cap_user_time_zero, and cap_user_time_short fields.
For a 32-byte event (the original format), this reads 24 bytes
past the event boundary into adjacent mmap'd data. The garbage
values end up in session->time_conv and can cause incorrect TSC
conversion if cap_user_time_zero happens to be non-zero.
Replace the struct assignment with a bounded memcpy capped at
event->header.size, zeroing the remainder so extended fields
default to off when absent.
Reported-by: sashiko-bot@xxxxxxxxxx # Running on a local machine
Cc: Adrian Hunter <adrian.hunter@xxxxxxxxx>
Cc: Ian Rogers <irogers@xxxxxxxxxx>
Cc: Jiri Olsa <jolsa@xxxxxxxxxx>
Cc: Namhyung Kim <namhyung@xxxxxxxxxx>
Assisted-by: Claude Opus 4.6 (1M context) <noreply@xxxxxxxxxxxxx>
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/session.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
index d5864e380c1bd52e..3f72b80aac56b04e 100644
--- a/tools/perf/util/session.c
+++ b/tools/perf/util/session.c
@@ -1897,7 +1897,14 @@ static s64 perf_session__process_user_event(struct perf_session *session,
err = tool->stat_round(tool, session, event);
break;
case PERF_RECORD_TIME_CONV:
- session->time_conv = event->time_conv;
+ /*
+ * Bounded copy: older kernels emit a shorter struct
+ * without time_cycles/time_mask/cap_user_time_*.
+ * Zero the rest so extended fields default to off.
+ */
+ memset(&session->time_conv, 0, sizeof(session->time_conv));
+ memcpy(&session->time_conv, &event->time_conv,
+ min((size_t)event->header.size, sizeof(session->time_conv)));
err = tool->time_conv(tool, session, event);
break;
case PERF_RECORD_HEADER_FEATURE:
--
2.54.0