On Mon, Nov 27, 2017 at 06:25:32PM +0100, Jiri Olsa wrote: > On Mon, Nov 27, 2017 at 06:12:03PM +0100, Peter Zijlstra wrote: > > But what validates the input attr is the same as the event attr, aside > > from those fields? > > we don't.. the attr serves as a holder to carry those fields > into the function
Then that's a straight up bug. > the current kernel interface does not check anything else Not enough, if the new attr would fail perf_event_open() it should also fail this modify thing. > there's one more check in the ioctl path, we check the > type in perf_event_modify_attr: > > if (event->attr.type != attr->type) > return -EINVAL; Note how hw_breakpoint_event_init() tests has_branch_stack() and fails on it. Ideally we should check a whole lot more and fail, but alas..
