perf bpf: Reject oversized BPF metadata events that truncate header.size
bpf_metadata_alloc() computes event_size from the number of BPF metadata
variables and stores it in header.size, which is __u16. With 204 or
more .rodata variables prefixed "bpf_metadata_", event_size exceeds
65535 and silently truncates.
The truncated header.size causes synthesize_perf_record_bpf_metadata()
to allocate a buffer sized by the truncated value, then memcpy the full
event data into it — a heap buffer overflow.
Add a check that event_size fits in __u16 before proceeding. BPF
programs with that many metadata variables are exotic enough that
silently dropping the metadata is acceptable.
Reported-by: sashiko-bot <sashiko-bot@kernel.org> Fixes: ab38e84ba9a80581 ("perf record: collect BPF metadata from existing BPF programs") Reviewed-by: Ian Rogers <irogers@google.com> Cc: Blake Jones <blakejones@google.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
projects / thirdparty / linux.git / commit
