perf header: Sanity check HEADER_GROUP_DESC

author Arnaldo Carvalho de Melo <acme@redhat.com>

Fri, 10 Apr 2026 22:09:00 +0000 (19:09 -0300)

committer Namhyung Kim <namhyung@kernel.org>

Tue, 14 Apr 2026 06:21:53 +0000 (23:21 -0700)
author Arnaldo Carvalho de Melo <acme@redhat.com>
Fri, 10 Apr 2026 22:09:00 +0000 (19:09 -0300)
committer Namhyung Kim <namhyung@kernel.org>
Tue, 14 Apr 2026 06:21:53 +0000 (23:21 -0700)
diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c

index 77035d9b138cb3cd3fbc7a79797dd1a2abbd71c8..993e20debd5ca31545e1ca4c2c305097cfadf2cb 100644 (file)
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -63,6 +63,7 @@
  #include <event-parse.h>
  #endif
  
+#define MAX_GROUP_DESC         32768
  #define MAX_NUMA_NODES         4096
  #define MAX_PMU_MAPPINGS       4096
  #define MAX_SCHED_DOMAINS      64
@@ -3132,12 +3133,25 @@ static int process_group_desc(struct feat_fd *ff, void *data __maybe_unused)
         if (do_read_u32(ff, &nr_groups))
                 return -1;
  
-       env->nr_groups = nr_groups;
         if (!nr_groups) {
                 pr_debug("group desc not available\n");
                 return 0;
         }
  
+       if (nr_groups > MAX_GROUP_DESC) {
+               pr_err("Invalid HEADER_GROUP_DESC: nr_groups (%u) > %u\n",
+                      nr_groups, MAX_GROUP_DESC);
+               return -1;
+       }
+
+       if (ff->size < sizeof(u32) + nr_groups * 3 * sizeof(u32)) {
+               pr_err("Invalid HEADER_GROUP_DESC: section too small (%zu) for %u groups\n",
+                      ff->size, nr_groups);
+               return -1;
+       }
+
+       env->nr_groups = nr_groups;
+
         desc = calloc(nr_groups, sizeof(*desc));
         if (!desc)
                 return -1;
author	Arnaldo Carvalho de Melo <acme@redhat.com>
	Fri, 10 Apr 2026 22:09:00 +0000 (19:09 -0300)
committer	Namhyung Kim <namhyung@kernel.org>
	Tue, 14 Apr 2026 06:21:53 +0000 (23:21 -0700)