perf dso: Fix heap overflow in dso__get_filename() on decompressed path

dso__get_filename() allocates name with malloc(PATH_MAX), but the
dso__filename_with_chroot() path replaces name with an asprintf'd
exact-size string (e.g. 8 bytes for "/a/b.ko").  When the DSO needs
decompression, dso__decompress_kmodule_path() writes the temp path
("/tmp/perf-kmod-XXXXXX", 22 bytes) into newpath, and strcpy(name,
newpath) overflows the smaller allocation.

Replace the strcpy with strdup(newpath) + free(name) so the buffer
is always correctly sized for its content.

Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Fixes: 1d6b3c9ba756a513 ("perf tools: Decompress kernel module when reading DSO data")
Reviewed-by: Ian Rogers <irogers@google.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
index 5d017975873817ecfdbc4e966bbca63f214327dc..511921bd901d8145e7bc49fbdab488b335d643c9 100644 (file)
--- a/tools/perf/util/dso.c
+++ b/tools/perf/util/dso.c
@@ -603,8 +603,15 @@ static char *dso__get_filename(struct dso *dso, const char *root_dir,
 
                /* empty pathname means file wasn't actually compressed */
                if (newpath[0] != '\0') {
+                       char *tmp = strdup(newpath);
+
+                       if (!tmp) {
+                               unlink(newpath);
+                               goto out;
+                       }
+                       free(name);
+                       name = tmp;
                        *decomp = true;
-                       strcpy(name, newpath);
                }
        }
        return name;