perf bpf: Validate func_info_rec_size and sub_id in synthesize_bpf_prog_name()
synthesize_bpf_prog_name() computes a pointer into the func_info array
using sub_id * info->func_info_rec_size without validating either value.
Both come from perf.data and are untrusted:
- A func_info_rec_size smaller than sizeof(struct bpf_func_info) means
the finfo pointer would reference a truncated entry, reading past it
into adjacent data.
- A sub_id >= nr_func_info computes an offset past the func_info buffer,
causing an out-of-bounds read.
Add bounds checks for both values before computing the pointer offset.
When validation fails, fall through to the non-BTF name path instead
of reading garbage.
Reported-by: sashiko-bot <sashiko-bot@kernel.org> Fixes: 7b612e291a5affb1 ("perf tools: Synthesize PERF_RECORD_* for loaded BPF programs") Cc: Song Liu <songliubraving@fb.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
projects / thirdparty / linux.git / commit
