Re: [PATCH 05/11] perf sched: Bounds-check prio before test_bit() in timehist
From: Ian Rogers
Date: Mon Jun 08 2026 - 17:59:04 EST
On Mon, Jun 8, 2026 at 1:18 PM Arnaldo Carvalho de Melo <acme@xxxxxxxxxx> wrote:
>
> From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
>
> timehist_skip_sample() reads prio from untrusted tracepoint data via
> perf_sample__intval(sample, "prev_prio") without bounds validation.
> A crafted perf.data with prev_prio >= MAX_PRIO (140) causes test_bit()
> to read past the end of the prio_bitmap, which is only MAX_PRIO bits.
>
> Add a prio >= 0 && prio < MAX_PRIO check before the test_bit() call.
> This also makes the != -1 sentinel check explicit as >= 0.
>
> Fixes: 9b3a48bbe20d9692 ("perf sched timehist: Add --prio option")
> Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
> Cc: Yang Jihong <yangjihong@xxxxxxxxxxxxx>
> Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
> Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
Reviewed-by: Ian Rogers <irogers@xxxxxxxxxx>
Thanks,
Ian
> ---
> tools/perf/builtin-sched.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
> index 1ff01f03d2ad1ad3..ded511d8518803a0 100644
> --- a/tools/perf/builtin-sched.c
> +++ b/tools/perf/builtin-sched.c
> @@ -2645,7 +2645,9 @@ static bool timehist_skip_sample(struct perf_sched *sched,
> else if (evsel__name_is(sample->evsel, "sched:sched_switch"))
> prio = perf_sample__intval(sample, "prev_prio");
>
> - if (prio != -1 && !test_bit(prio, sched->prio_bitmap)) {
> + /* prio comes from untrusted tracepoint data — bounds-check before test_bit */
> + if (prio >= 0 &&
> + (prio >= MAX_PRIO || !test_bit(prio, sched->prio_bitmap))) {
> rc = true;
> sched->skipped_samples++;
> }
> --
> 2.54.0
>