perf header: Sanity check HEADER_NUMA_TOPOLOGY

Add validation to process_numa_topology() to harden against malformed
perf.data files:

- Upper bound check on nr_nodes (max 4096)
- Minimum section size check before allocating

Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index acd6b07528e013a46ab959b303a08f9258d87398..2f405776e5013c139c983de92530508ef472a518 100644 (file)
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -63,6 +63,7 @@
 #include <event-parse.h>
 #endif
 
+#define MAX_NUMA_NODES         4096
 #define MAX_SCHED_DOMAINS      64
 
 /*
@@ -3005,6 +3006,18 @@ static int process_numa_topology(struct feat_fd *ff, void *data __maybe_unused)
        if (do_read_u32(ff, &nr))
                return -1;
 
+       if (nr > MAX_NUMA_NODES) {
+               pr_err("Invalid HEADER_NUMA_TOPOLOGY: nr_nodes (%u) > %u\n",
+                      nr, MAX_NUMA_NODES);
+               return -1;
+       }
+
+       if (ff->size < sizeof(u32) + nr * (sizeof(u32) + 2 * sizeof(u64))) {
+               pr_err("Invalid HEADER_NUMA_TOPOLOGY: section too small (%zu) for %u nodes\n",
+                      ff->size, nr);
+               return -1;
+       }
+
        nodes = calloc(nr, sizeof(*nodes));
        if (!nodes)
                return -ENOMEM;