perf bpf: Reject oversized BPF metadata events that truncate header.size

bpf_metadata_alloc() computes event_size from the number of BPF metadata
variables and stores it in header.size, which is __u16.  With 204 or
more .rodata variables prefixed "bpf_metadata_", event_size exceeds
65535 and silently truncates.

The truncated header.size causes synthesize_perf_record_bpf_metadata()
to allocate a buffer sized by the truncated value, then memcpy the full
event data into it — a heap buffer overflow.

Add a check that event_size fits in __u16 before proceeding.  BPF
programs with that many metadata variables are exotic enough that
silently dropping the metadata is acceptable.

Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Fixes: ab38e84ba9a80581 ("perf record: collect BPF metadata from existing BPF programs")
Reviewed-by: Ian Rogers <irogers@google.com>
Cc: Blake Jones <blakejones@google.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
index fe6fbca508c5135cd1673469b3c23743aa360679..57d53ba848359e122690a06793089400a8cc141c 100644 (file)
--- a/tools/perf/util/bpf-event.c
+++ b/tools/perf/util/bpf-event.c
@@ -369,6 +369,15 @@ static struct bpf_metadata *bpf_metadata_alloc(__u32 nr_prog_tags,
 
        event_size = sizeof(metadata->event->bpf_metadata) +
            nr_variables * sizeof(metadata->event->bpf_metadata.entries[0]);
+       /*
+        * header.size is __u16.  synthesize_perf_record_bpf_metadata()
+        * adds machine->id_hdr_size (up to ~64 bytes) after this, so
+        * leave headroom to prevent the final size from wrapping.
+        */
+       if (event_size > UINT16_MAX - 256) {
+               bpf_metadata_free(metadata);
+               return NULL;
+       }
        metadata->event = zalloc(event_size);
        if (!metadata->event) {
                bpf_metadata_free(metadata);