perf util: Fix perf_exe() buffer write past end

perf_exe() passes len to readlink() and then unconditionally writes a
trailing NUL at buf[n]. If readlink() returns len, the write lands one
byte past the buffer.

Read at most len - 1 bytes and keep the existing NUL termination. Also
guard the fallback path for tiny buffers so copying "perf" cannot
overflow.

Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Miguel Martín Gil <miguel.martin.gil.uni@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
index 25849434f0a4e5fd1baf22114d393219451bc5ee..2c2a5c449ffd0495f64fae35569d879899d3baae 100644 (file)
--- a/tools/perf/util/util.c
+++ b/tools/perf/util/util.c
@@ -419,11 +419,21 @@ out:
 
 char *perf_exe(char *buf, int len)
 {
-       int n = readlink("/proc/self/exe", buf, len);
+       int n;
+
+       if (len <= 0)
+               return buf;
+
+       n = readlink("/proc/self/exe", buf, len - 1);
        if (n > 0) {
                buf[n] = 0;
                return buf;
        }
+       if (len < (int)sizeof("perf")) {
+               buf[0] = '\0';
+               return buf;
+       }
+
        return strcpy(buf, "perf");
 }