]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4ba2230)
perf header: Sanity check HEADER_MEM_TOPOLOGY
authorArnaldo Carvalho de Melo <acme@redhat.com>
Fri, 10 Apr 2026 22:08:58 +0000 (19:08 -0300)
committerNamhyung Kim <namhyung@kernel.org>
Tue, 14 Apr 2026 06:21:53 +0000 (23:21 -0700)
Add validation to process_mem_topology() to harden against malformed
perf.data files:

- Upper bound check on nr_nodes (reuses MAX_NUMA_NODES, 4096)
- Minimum section size check before allocating

This is particularly important here since nr is u64, making unbounded
values especially dangerous.

Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
tools/perf/util/header.c patch | blob | blame | history

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 2f405776e5013c139c983de92530508ef472a518..2eb909672f826ca48bcaf5f0a667bea316b87ecf 100644 (file)
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -3308,6 +3308,18 @@ static int process_mem_topology(struct feat_fd *ff,
        if (do_read_u64(ff, &nr))
                return -1;
 
+       if (nr > MAX_NUMA_NODES) {
+               pr_err("Invalid HEADER_MEM_TOPOLOGY: nr_nodes (%llu) > %u\n",
+                      (unsigned long long)nr, MAX_NUMA_NODES);
+               return -1;
+       }
+
+       if (ff->size < 3 * sizeof(u64) + nr * 2 * sizeof(u64)) {
+               pr_err("Invalid HEADER_MEM_TOPOLOGY: section too small (%zu) for %llu nodes\n",
+                      ff->size, (unsigned long long)nr);
+               return -1;
+       }
+
        nodes = calloc(nr, sizeof(*nodes));
        if (!nodes)
                return -1;
A mirror of Linus' kernel repository