]> git.ipfire.org Git - thirdparty/linux.git/commit
perf pmu: Fix perf_pmu__parse_scale/unit() OOB access on empty sysfs file
authorArnaldo Carvalho de Melo <acme@redhat.com>
Mon, 8 Jun 2026 00:03:13 +0000 (21:03 -0300)
committerArnaldo Carvalho de Melo <acme@redhat.com>
Wed, 10 Jun 2026 21:56:01 +0000 (18:56 -0300)
commit33035f7dd4e49f3f117e70c5e36c8c1ae88d37f2
treed9c554c95a0f2c6c95b2ce689419ab6fb978877b
parent836455e6dbd34eb3d12eeab5e2d2b9a7f1512459
perf pmu: Fix perf_pmu__parse_scale/unit() OOB access on empty sysfs file

perf_pmu__parse_scale() reads a PMU scale file then accesses
scale[sret - 1] to strip a trailing newline.  Only sret < 0 is
guarded, so an empty file (sret == 0) causes scale[-1] — a stack
buffer underflow that reads and potentially writes out of bounds.

perf_pmu__parse_unit() has the same pattern: alias->unit[sret - 1]
with sret == 0 accesses the byte before the struct member, which
may corrupt the adjacent pmu_name pointer field.

Change both guards from sret < 0 to sret <= 0 so that empty files
are treated as read errors.

Fixes: 410136f5dd96b601 ("tools/perf/stat: Add event unit and scale support")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Stephane Eranian <eranian@google.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
tools/perf/util/pmu.c