From 167bef4df68635f8bfa2af9108351ee78536d7fb Mon Sep 17 00:00:00 2001
From: =?utf8?q?Miguel=20Mart=C3=ADn=20Gil?=
 <miguel.martin.gil.uni@gmail.com>
Date: Tue, 26 May 2026 13:08:52 +0200
Subject: [PATCH] perf util: Fix perf_exe() buffer write past end
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

perf_exe() passes len to readlink() and then unconditionally writes a
trailing NUL at buf[n]. If readlink() returns len, the write lands one
byte past the buffer.

Read at most len - 1 bytes and keep the existing NUL termination. Also
guard the fallback path for tiny buffers so copying "perf" cannot
overflow.

Reviewed-by: Ian Rogers <irogers@google.com>
Signed-off-by: Miguel Martín Gil <miguel.martin.gil.uni@gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
 tools/perf/util/util.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
index 25849434f0a4e..2c2a5c449ffd0 100644
--- a/tools/perf/util/util.c
+++ b/tools/perf/util/util.c
@@ -419,11 +419,21 @@ out:
 
 char *perf_exe(char *buf, int len)
 {
-	int n = readlink("/proc/self/exe", buf, len);
+	int n;
+
+	if (len <= 0)
+		return buf;
+
+	n = readlink("/proc/self/exe", buf, len - 1);
 	if (n > 0) {
 		buf[n] = 0;
 		return buf;
 	}
+	if (len < (int)sizeof("perf")) {
+		buf[0] = '\0';
+		return buf;
+	}
+
 	return strcpy(buf, "perf");
 }
 
-- 
2.47.3