[PATCH 6/6] perf python: Check if there is space to copy all the event

From: Arnaldo Carvalho de Melo
Date: Wed Mar 12 2025 - 16:33:39 EST

Next message: Korenblit, Miriam Rachel: "RE: wifi: iwlwifi: Fix uninitialized variable with __free()"
Previous message: Dave Hansen: "Re: [PATCH v2 0/1] Accept unaccepted kexec segments' destination addresses"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 5/6] perf python: Don't keep a raw_data pointer to consumed ring buffer space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

The pyrf_event__new() method copies the event obtained from the perf
ring buffer to a structure that will then be turned into a python object
for further consumption, so it copies perf_event.header.size bytes to
its 'event' member:

$ pahole -C pyrf_event /tmp/build/perf-tools-next/python/perf.cpython-312-x86_64-linux-gnu.so
struct pyrf_event {
PyObject ob_base; /* 0 16 */
struct evsel * evsel; /* 16 8 */
struct perf_sample sample; /* 24 312 */

/* XXX last struct has 7 bytes of padding, 2 holes */

/* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
union perf_event event; /* 336 4168 */

/* size: 4504, cachelines: 71, members: 4 */
/* member types with holes: 1, total: 2 */
/* paddings: 1, sum paddings: 7 */
/* last cacheline: 24 bytes */
};

$

It was doing so without checking if the event just obtained has more
than that space, fix it.

This isn't a proper, final solution, as we need to support larger
events, but for the time being we at least bounds check and document it.

Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding")
Cc: Adrian Hunter <adrian.hunter@xxxxxxxxx>
Cc: Ian Rogers <irogers@xxxxxxxxxx>
Cc: James Clark <james.clark@xxxxxxxxxx>
Cc: Jiri Olsa <jolsa@xxxxxxxxxx>
Cc: Kan Liang <kan.liang@xxxxxxxxxxxxxxx>
Cc: Namhyung Kim <namhyung@xxxxxxxxxx>
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/python.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
index 6a03341e17881337..f3c05da25b4af8c0 100644
--- a/tools/perf/util/python.c
+++ b/tools/perf/util/python.c
@@ -476,6 +476,11 @@ static PyObject *pyrf_event__new(const union perf_event *event)
event->header.type == PERF_RECORD_SWITCH_CPU_WIDE))
return NULL;

+ // FIXME this better be dynamic or we need to parse everything
+ // before calling perf_mmap__consume(), including tracepoint fields.
+ if (sizeof(pevent->event) < event->header.size)
+ return NULL;
+
ptype = pyrf_event__type[event->header.type];
pevent = PyObject_New(struct pyrf_event, ptype);
if (pevent != NULL)
--
2.48.1

Next message: Korenblit, Miriam Rachel: "RE: wifi: iwlwifi: Fix uninitialized variable with __free()"
Previous message: Dave Hansen: "Re: [PATCH v2 0/1] Accept unaccepted kexec segments' destination addresses"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 5/6] perf python: Don't keep a raw_data pointer to consumed ring buffer space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]