git.ipfire.org Git - thirdparty/linux.git/commit

author	Arnaldo Carvalho de Melo <acme@redhat.com>
	Thu, 11 Jun 2026 00:03:16 +0000 (21:03 -0300)
committer	Arnaldo Carvalho de Melo <acme@redhat.com>
	Wed, 17 Jun 2026 11:29:00 +0000 (08:29 -0300)
commit	033e85edfbf271f92979d2a39aeaf40f8472a795
tree	88abbce280d2d954df149afd3d829557f319f149	tree \| snapshot
parent	2d6ea0875093da9033fcb62c09a9e2f1de49fe91	commit \| diff

perf bpf: Bounds-check array offsets in bpil_offs_to_addr()

bpil_offs_to_addr() converts offsets stored in perf.data's
bpf_prog_info_linear structure into heap pointers by adding the offset
to the data allocation base.  The offsets come from untrusted file input
and are not validated against data_len.

If an offset exceeds data_len, the computed address points outside the
allocated data buffer.  Callers like synthesize_bpf_prog_name() then
dereference prog_tags[sub_id] or func_info pointers, reading arbitrary
heap memory.

Add a bounds check: when an offset exceeds data_len, zero the field
and skip the conversion.  This prevents out-of-bounds pointer
construction from crafted perf.data files.

Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Fixes: 6ac22d036f86c4e2 ("perf bpf: Pull in bpf_program__get_prog_info_linear()")
Cc: Dave Marchevsky <davemarchevsky@fb.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>