perf header: Sanity check HEADER_EVENT_DESC attr.size before swap
read_event_desc() reads nre (event count), sz (attr size), and nr
(IDs per event) from the file and uses them to control allocations
and loops without validating them against the section size.
A crafted perf.data could trigger large allocations or many loop
iterations before __do_read() eventually rejects the reads.
Add bounds checks in read_event_desc():
- Reject sz smaller than PERF_ATTR_SIZE_VER0.
- Require at least one event (nre > 0).
- Check that nre events fit in the remaining section, using the
minimum per-event footprint of sz + sizeof(u32).
- Pre-swap attr->size to native byte order, then reject values
below PERF_ATTR_SIZE_VER0 or above sz before calling
perf_event__attr_swap() to prevent heap out-of-bounds access.
- Handle ABI0 (attr.size == 0): substitute PERF_ATTR_SIZE_VER0,
and on native-endian files write the value back so
free_event_desc() does not treat the zero as its end-of-array
sentinel (it iterates while attr.size != 0). The swap path
skips the write-back — perf_event__attr_swap() has its own
ABI0 fallback that sets VER0 after swapping.
- Check that nr IDs fit in the remaining section before allocating.
Fixes: b30b61729246 ("perf tools: Fix a problem when opening old perf.data with different byte order") Reported-by: sashiko-bot@kernel.org # Running on a local machine Reviewed-by: Ian Rogers <irogers@google.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Wang Nan <wangnan0@huawei.com> Assisted-by: Claude:claude-opus-4.6-1m Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
projects / thirdparty / kernel / linux.git / commit
