diff options
| author | Arnaldo Carvalho de Melo <acme@redhat.com> | 2026-04-11 01:09:00 +0300 |
|---|---|---|
| committer | Namhyung Kim <namhyung@kernel.org> | 2026-04-14 09:21:53 +0300 |
| commit | 6830e20c92e7388ae4834a3574a0d3d90500c4c1 (patch) | |
| tree | 4e47300054b06633146c50c296f82f805da21dc1 /tools | |
| parent | f613a6d694aa499edb2a291ab2c2d906619585f2 (diff) | |
| download | linux-6830e20c92e7388ae4834a3574a0d3d90500c4c1.tar.xz | |
perf header: Sanity check HEADER_GROUP_DESC
Add upper bound check on nr_groups in process_group_desc() to harden
against malformed perf.data files (max 32768), and move the env
assignment after validation.
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/perf/util/header.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index 77035d9b138c..993e20debd5c 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -63,6 +63,7 @@ #include <event-parse.h> #endif +#define MAX_GROUP_DESC 32768 #define MAX_NUMA_NODES 4096 #define MAX_PMU_MAPPINGS 4096 #define MAX_SCHED_DOMAINS 64 @@ -3132,12 +3133,25 @@ static int process_group_desc(struct feat_fd *ff, void *data __maybe_unused) if (do_read_u32(ff, &nr_groups)) return -1; - env->nr_groups = nr_groups; if (!nr_groups) { pr_debug("group desc not available\n"); return 0; } + if (nr_groups > MAX_GROUP_DESC) { + pr_err("Invalid HEADER_GROUP_DESC: nr_groups (%u) > %u\n", + nr_groups, MAX_GROUP_DESC); + return -1; + } + + if (ff->size < sizeof(u32) + nr_groups * 3 * sizeof(u32)) { + pr_err("Invalid HEADER_GROUP_DESC: section too small (%zu) for %u groups\n", + ff->size, nr_groups); + return -1; + } + + env->nr_groups = nr_groups; + desc = calloc(nr_groups, sizeof(*desc)); if (!desc) return -1; |