]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
perf header: Sanity check HEADER_GROUP_DESC
authorArnaldo Carvalho de Melo <acme@redhat.com>
Fri, 10 Apr 2026 22:09:00 +0000 (19:09 -0300)
committerNamhyung Kim <namhyung@kernel.org>
Tue, 14 Apr 2026 06:21:53 +0000 (23:21 -0700)
Add upper bound check on nr_groups in process_group_desc() to harden
against malformed perf.data files (max 32768), and move the env
assignment after validation.

Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
tools/perf/util/header.c

index 77035d9b138cb3cd3fbc7a79797dd1a2abbd71c8..993e20debd5ca31545e1ca4c2c305097cfadf2cb 100644 (file)
@@ -63,6 +63,7 @@
 #include <event-parse.h>
 #endif
 
+#define MAX_GROUP_DESC         32768
 #define MAX_NUMA_NODES         4096
 #define MAX_PMU_MAPPINGS       4096
 #define MAX_SCHED_DOMAINS      64
@@ -3132,12 +3133,25 @@ static int process_group_desc(struct feat_fd *ff, void *data __maybe_unused)
        if (do_read_u32(ff, &nr_groups))
                return -1;
 
-       env->nr_groups = nr_groups;
        if (!nr_groups) {
                pr_debug("group desc not available\n");
                return 0;
        }
 
+       if (nr_groups > MAX_GROUP_DESC) {
+               pr_err("Invalid HEADER_GROUP_DESC: nr_groups (%u) > %u\n",
+                      nr_groups, MAX_GROUP_DESC);
+               return -1;
+       }
+
+       if (ff->size < sizeof(u32) + nr_groups * 3 * sizeof(u32)) {
+               pr_err("Invalid HEADER_GROUP_DESC: section too small (%zu) for %u groups\n",
+                      ff->size, nr_groups);
+               return -1;
+       }
+
+       env->nr_groups = nr_groups;
+
        desc = calloc(nr_groups, sizeof(*desc));
        if (!desc)
                return -1;