diff options
| author | Arnaldo Carvalho de Melo <acme@redhat.com> | 2026-06-13 20:16:45 +0300 |
|---|---|---|
| committer | Arnaldo Carvalho de Melo <acme@redhat.com> | 2026-06-17 15:21:03 +0300 |
| commit | 312d91329b8fc6989a916a3f9a12d0674167b7e4 (patch) | |
| tree | fdca92c52006e5baf39e3493d9112efaf201e65b /scripts/Makefile.thinlto | |
| parent | fe63d3bca288c5bb983304efd5fc3a5ff3183403 (diff) | |
| download | linux-312d91329b8fc6989a916a3f9a12d0674167b7e4.tar.xz | |
perf cs-etm: Validate num_cpu before metadata allocation
cs_etm__process_auxtrace_info_full() reads num_cpu from untrusted
perf.data and uses it to allocate the metadata pointer array:
metadata = zalloc(sizeof(*metadata) * num_cpu);
On 32-bit, sizeof(*metadata) is 4, so num_cpu = 0x40000000 overflows
the multiplication to 0, causing zalloc(0) to return a valid zero-sized
allocation followed by out-of-bounds writes in the population loop.
Fix by computing priv_size early and using it to bound num_cpu: each
CPU needs at least one u64 metadata entry, so num_cpu cannot exceed
the total number of u64 entries in the event's private data area.
Fixes: cd8bfd8c973eaff8 ("perf tools: Add processing of coresight metadata")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: James Clark <james.clark@arm.com>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Tor Jeremiassen <tor@ti.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Diffstat (limited to 'scripts/Makefile.thinlto')
0 files changed, 0 insertions, 0 deletions
