perf header: Sanity check HEADER_HYBRID_TOPOLOGY

Add upper bound check on nr_nodes in process_hybrid_topology() to
harden against malformed perf.data files (reuses MAX_PMU_MAPPINGS,
4096).

Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 749a522fe057e73999d44b5931251a5d293d8bea..a609fc7d959fae04b5ad8097046685a4910feb0f 100644 (file)
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -3450,6 +3450,18 @@ static int process_hybrid_topology(struct feat_fd *ff,
        if (do_read_u32(ff, &nr))
                return -1;
 
+       if (nr > MAX_PMU_MAPPINGS) {
+               pr_err("Invalid HEADER_HYBRID_TOPOLOGY: nr_nodes (%u) > %u\n",
+                      nr, MAX_PMU_MAPPINGS);
+               return -1;
+       }
+
+       if (ff->size < sizeof(u32) + nr * 2 * sizeof(u32)) {
+               pr_err("Invalid HEADER_HYBRID_TOPOLOGY: section too small (%zu) for %u nodes\n",
+                      ff->size, nr);
+               return -1;
+       }
+
        nodes = calloc(nr, sizeof(*nodes));
        if (!nodes)
                return -ENOMEM;