perf synthetic-events: Bound check when synthesizing mmap2 and build_id events

author Ian Rogers <irogers@google.com>

Wed, 20 May 2026 19:05:32 +0000 (12:05 -0700)

committer Arnaldo Carvalho de Melo <acme@redhat.com>

Wed, 20 May 2026 19:39:40 +0000 (16:39 -0300)
author Ian Rogers <irogers@google.com>
Wed, 20 May 2026 19:05:32 +0000 (12:05 -0700)
committer Arnaldo Carvalho de Melo <acme@redhat.com>
Wed, 20 May 2026 19:39:40 +0000 (16:39 -0300)
diff --git a/tools/perf/util/synthetic-events.c b/tools/perf/util/synthetic-events.c

index fd1d4c0345d6f95e88f86dbdccc834f55d58bcbc..d665b0f94b321433a4cbe587ccd0d61aca933a05 100644 (file)
--- a/tools/perf/util/synthetic-events.c
+++ b/tools/perf/util/synthetic-events.c
@@ -2268,14 +2268,20 @@ int perf_event__synthesize_build_id(const struct perf_tool *tool,
                                     const char *filename)
  {
         union perf_event ev;
-       size_t len;
+       size_t len, filename_len = strlen(filename);
         u64 sample_type = sample->evsel ? sample->evsel->core.attr.sample_type : 0;
         void *array = &ev;
         int ret;
  
-       len = sizeof(ev.build_id) + strlen(filename) + 1;
+       if (filename_len >= PATH_MAX)
+               return -EINVAL;
+
+       len = sizeof(ev.build_id) + filename_len + 1;
         len = PERF_ALIGN(len, sizeof(u64));
  
+       if (len + MAX_ID_HDR_ENTRIES * sizeof(__u64) > sizeof(ev))
+               return -E2BIG;
+
         memset(&ev, 0, len);
  
         ev.build_id.size = bid->size;
@@ -2314,14 +2320,21 @@ int perf_event__synthesize_mmap2_build_id(const struct perf_tool *tool,
                                           const char *filename)
  {
         union perf_event ev;
+       size_t filename_len = strlen(filename);
         size_t ev_len;
         u64 sample_type = sample->evsel ? sample->evsel->core.attr.sample_type : 0;
         void *array;
         int ret;
  
-       ev_len = sizeof(ev.mmap2) - sizeof(ev.mmap2.filename) + strlen(filename) + 1;
+       if (filename_len >= sizeof(ev.mmap2.filename))
+               return -EINVAL;
+
+       ev_len = sizeof(ev.mmap2) - sizeof(ev.mmap2.filename) + filename_len + 1;
         ev_len = PERF_ALIGN(ev_len, sizeof(u64));
  
+       if (ev_len + MAX_ID_HDR_ENTRIES * sizeof(__u64) > sizeof(ev))
+               return -E2BIG;
+
         memset(&ev, 0, ev_len);
  
         ev.mmap2.header.type = PERF_RECORD_MMAP2;
author	Ian Rogers <irogers@google.com>
	Wed, 20 May 2026 19:05:32 +0000 (12:05 -0700)
committer	Arnaldo Carvalho de Melo <acme@redhat.com>
	Wed, 20 May 2026 19:39:40 +0000 (16:39 -0300)