]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
perf header: Sanity check HEADER_PMU_CAPS
authorArnaldo Carvalho de Melo <acme@redhat.com>
Fri, 10 Apr 2026 22:09:03 +0000 (19:09 -0300)
committerNamhyung Kim <namhyung@kernel.org>
Tue, 14 Apr 2026 06:21:53 +0000 (23:21 -0700)
Add upper bound checks in PMU capabilities processing to harden against
malformed perf.data files:

- nr_pmu bounded to MAX_PMU_MAPPINGS (4096) in process_pmu_caps()
- nr_pmu_caps bounded to MAX_PMU_CAPS (512) in __process_pmu_caps()

Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
tools/perf/util/header.c

index a609fc7d959fae04b5ad8097046685a4910feb0f..37c1afbc081672f1f8f6b9f8eec29d014c7e7885 100644 (file)
@@ -66,6 +66,7 @@
 #define MAX_CACHE_ENTRIES      32768
 #define MAX_GROUP_DESC         32768
 #define MAX_NUMA_NODES         4096
+#define MAX_PMU_CAPS           512
 #define MAX_PMU_MAPPINGS       4096
 #define MAX_SCHED_DOMAINS      64
 
@@ -3677,6 +3678,12 @@ static int __process_pmu_caps(struct feat_fd *ff, int *nr_caps,
        if (!nr_pmu_caps)
                return 0;
 
+       if (nr_pmu_caps > MAX_PMU_CAPS) {
+               pr_err("Invalid pmu caps: nr_pmu_caps (%u) > %u\n",
+                      nr_pmu_caps, MAX_PMU_CAPS);
+               return -1;
+       }
+
        *caps = calloc(nr_pmu_caps, sizeof(char *));
        if (!*caps)
                return -1;
@@ -3754,6 +3761,18 @@ static int process_pmu_caps(struct feat_fd *ff, void *data __maybe_unused)
                return 0;
        }
 
+       if (nr_pmu > MAX_PMU_MAPPINGS) {
+               pr_err("Invalid HEADER_PMU_CAPS: nr_pmu (%u) > %u\n",
+                      nr_pmu, MAX_PMU_MAPPINGS);
+               return -1;
+       }
+
+       if (ff->size < sizeof(u32) + nr_pmu * sizeof(u32)) {
+               pr_err("Invalid HEADER_PMU_CAPS: section too small (%zu) for %u PMUs\n",
+                      ff->size, nr_pmu);
+               return -1;
+       }
+
        pmu_caps = calloc(nr_pmu, sizeof(*pmu_caps));
        if (!pmu_caps)
                return -ENOMEM;