summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo <acme@redhat.com>2026-06-11 03:03:16 +0300
committerArnaldo Carvalho de Melo <acme@redhat.com>2026-06-17 14:29:00 +0300
commit033e85edfbf271f92979d2a39aeaf40f8472a795 (patch)
tree88abbce280d2d954df149afd3d829557f319f149 /scripts
parent2d6ea0875093da9033fcb62c09a9e2f1de49fe91 (diff)
downloadlinux-033e85edfbf271f92979d2a39aeaf40f8472a795.tar.xz
perf bpf: Bounds-check array offsets in bpil_offs_to_addr()
bpil_offs_to_addr() converts offsets stored in perf.data's bpf_prog_info_linear structure into heap pointers by adding the offset to the data allocation base. The offsets come from untrusted file input and are not validated against data_len. If an offset exceeds data_len, the computed address points outside the allocated data buffer. Callers like synthesize_bpf_prog_name() then dereference prog_tags[sub_id] or func_info pointers, reading arbitrary heap memory. Add a bounds check: when an offset exceeds data_len, zero the field and skip the conversion. This prevents out-of-bounds pointer construction from crafted perf.data files. Reported-by: sashiko-bot <sashiko-bot@kernel.org> Fixes: 6ac22d036f86c4e2 ("perf bpf: Pull in bpf_program__get_prog_info_linear()") Cc: Dave Marchevsky <davemarchevsky@fb.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions