diff options
| author | Arnaldo Carvalho de Melo <acme@redhat.com> | 2026-04-11 01:09:01 +0300 |
|---|---|---|
| committer | Namhyung Kim <namhyung@kernel.org> | 2026-04-14 09:21:53 +0300 |
| commit | 110a661708a6a90997442f02f261e2043624a1c8 (patch) | |
| tree | 5258619413efb2e119df78dabd6b876d5ebe10a4 /tools | |
| parent | 6830e20c92e7388ae4834a3574a0d3d90500c4c1 (diff) | |
| download | linux-110a661708a6a90997442f02f261e2043624a1c8.tar.xz | |
perf header: Sanity check HEADER_CACHE
Add upper bound check on cache entry count in process_cache() to harden
against malformed perf.data files (max 32768).
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/perf/util/header.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index 993e20debd5c..749a522fe057 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -63,6 +63,7 @@ #include <event-parse.h> #endif +#define MAX_CACHE_ENTRIES 32768 #define MAX_GROUP_DESC 32768 #define MAX_NUMA_NODES 4096 #define MAX_PMU_MAPPINGS 4096 @@ -3243,6 +3244,18 @@ static int process_cache(struct feat_fd *ff, void *data __maybe_unused) if (do_read_u32(ff, &cnt)) return -1; + if (cnt > MAX_CACHE_ENTRIES) { + pr_err("Invalid HEADER_CACHE: cnt (%u) > %u\n", + cnt, MAX_CACHE_ENTRIES); + return -1; + } + + if (ff->size < 2 * sizeof(u32) + cnt * 7 * sizeof(u32)) { + pr_err("Invalid HEADER_CACHE: section too small (%zu) for %u entries\n", + ff->size, cnt); + return -1; + } + caches = calloc(cnt, sizeof(*caches)); if (!caches) return -1; |