perf cs-etm: Reject CPU IDs that would overflow signed comparison
metadata[j][CS_ETM_CPU] is a u64 from perf.data, but the comparison
with max_cpu casts it to (int). A crafted value like 0xFFFFFFFF becomes
-1 after the cast, which compares less than max_cpu (0), so the queue
array is never sized to accommodate it. When the value is later passed
to cs_etm__get_queue(), it indexes queue_array with the original large
value, causing an out-of-bounds access.
Validate that CS_ETM_CPU fits in an int before using it in the signed
comparison.
Fixes: 57880a7966be510c ("perf: cs-etm: Allocate queues for all CPUs") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: James Clark <james.clark@arm.com> Cc: Adrian Hunter <adrian.hunter@intel.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
projects / thirdparty / linux.git / commit
