perf bpf: Bounds-check array offsets in bpil_offs_to_addr()

bpil_offs_to_addr() converts offsets stored in perf.data's
bpf_prog_info_linear structure into heap pointers by adding the offset
to the data allocation base.  The offsets come from untrusted file input
and are not validated against data_len.

If an offset exceeds data_len, the computed address points outside the
allocated data buffer.  Callers like synthesize_bpf_prog_name() then
dereference prog_tags[sub_id] or func_info pointers, reading arbitrary
heap memory.

Add a bounds check: when an offset exceeds data_len, zero the field
and skip the conversion.  This prevents out-of-bounds pointer
construction from crafted perf.data files.

Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Fixes: 6ac22d036f86c4e2 ("perf bpf: Pull in bpf_program__get_prog_info_linear()")
Cc: Dave Marchevsky <davemarchevsky@fb.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/bpf-utils.c b/tools/perf/util/bpf-utils.c
index d6d2c9c190f7afbf5b2224ff18dd16f6bfd54beb..69148197b1ef9e8b091529dddd5e9ea3a788e06d 100644 (file)
--- a/tools/perf/util/bpf-utils.c
+++ b/tools/perf/util/bpf-utils.c
@@ -264,12 +264,28 @@ void bpil_offs_to_addr(struct perf_bpil *info_linear)
        for (i = PERF_BPIL_FIRST_ARRAY; i < PERF_BPIL_LAST_ARRAY; ++i) {
                const struct bpil_array_desc *desc = &bpil_array_desc[i];
                __u64 addr, offs;
+               __u32 count, size;
 
                if ((info_linear->arrays & (1UL << i)) == 0)
                        continue;
 
                offs = bpf_prog_info_read_offset_u64(&info_linear->info,
                                                     desc->array_offset);
+               count = bpf_prog_info_read_offset_u32(&info_linear->info,
+                                                     desc->count_offset);
+               size = bpf_prog_info_read_offset_u32(&info_linear->info,
+                                                    desc->size_offset);
+               /* offset and extent from perf.data are untrusted — keep within data[] */
+               if (offs >= info_linear->data_len ||
+                   (u64)count * size > info_linear->data_len - offs) {
+                       bpf_prog_info_set_offset_u64(&info_linear->info,
+                                                    desc->array_offset, 0);
+                       bpf_prog_info_set_offset_u32(&info_linear->info,
+                                                    desc->count_offset, 0);
+                       /* clear the bit so bpil_addr_to_offs() won't reverse a zeroed address */
+                       info_linear->arrays &= ~(1UL << i);
+                       continue;
+               }
                addr = offs + ptr_to_u64(info_linear->data);
                bpf_prog_info_set_offset_u64(&info_linear->info,
                                             desc->array_offset, addr);