summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo <acme@redhat.com>2026-06-11 03:02:25 +0300
committerArnaldo Carvalho de Melo <acme@redhat.com>2026-06-17 14:28:57 +0300
commit2d6ea0875093da9033fcb62c09a9e2f1de49fe91 (patch)
tree5e3c7a47a0b9592c11793600ce9dcd7d95a0a6f0 /scripts
parent10b3c3d63ecc17c6acb855bac5f40367f1115765 (diff)
downloadlinux-2d6ea0875093da9033fcb62c09a9e2f1de49fe91.tar.xz
perf bpf: Reject oversized BPF metadata events that truncate header.size
bpf_metadata_alloc() computes event_size from the number of BPF metadata variables and stores it in header.size, which is __u16. With 204 or more .rodata variables prefixed "bpf_metadata_", event_size exceeds 65535 and silently truncates. The truncated header.size causes synthesize_perf_record_bpf_metadata() to allocate a buffer sized by the truncated value, then memcpy the full event data into it — a heap buffer overflow. Add a check that event_size fits in __u16 before proceeding. BPF programs with that many metadata variables are exotic enough that silently dropping the metadata is acceptable. Reported-by: sashiko-bot <sashiko-bot@kernel.org> Fixes: ab38e84ba9a80581 ("perf record: collect BPF metadata from existing BPF programs") Reviewed-by: Ian Rogers <irogers@google.com> Cc: Blake Jones <blakejones@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions