From: Arnaldo Carvalho de Melo <acme@redhat.com>
Date: Wed, 8 Apr 2026 17:32:01 +0000 (-0300)
Subject: perf header: Do validation of perf.data HEADER_CPU_DOMAIN_INFO
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7507abd16a05e8b191ed7bed69e075b23111c401;p=thirdparty%2Fkernel%2Flinux.git

perf header: Do validation of perf.data HEADER_CPU_DOMAIN_INFO

As suggested in an unrelated sashiko review:

  https://sashiko.dev/#/patchset/20260407195145.2372104-1-acme%40kernel.org

"
Could a malformed perf.data file provide out-of-bounds values for cpu and
domain?
These variables are read directly from the file and used as indices for
cd_map and cd_map[cpu]->domains without any validation against
env->nr_cpus_avail or max_sched_domains.
Similar to the issue above, this is an existing lack of validation that
becomes apparent when looking at the allocation boundaries.
"

Validate it.

Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
---

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index a18f216f77c27..4925e33778b91 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -3717,6 +3717,11 @@ static int process_cpu_domain_info(struct feat_fd *ff, void *data __maybe_unused
 		if (do_read_u32(ff, &cpu))
 			return -1;
 
+		if (cpu >= nra) {
+			pr_err("Invalid HEADER_CPU_DOMAIN_INFO: cpu %d >= nr_cpus_avail (%d)\n", cpu, nra);
+			return -1;
+		}
+
 		cd_map[cpu] = zalloc(sizeof(*cd_map[cpu]));
 		if (!cd_map[cpu])
 			return -1;
@@ -3736,6 +3741,12 @@ static int process_cpu_domain_info(struct feat_fd *ff, void *data __maybe_unused
 			if (do_read_u32(ff, &domain))
 				return -1;
 
+			if (domain >= max_sched_domains) {
+				pr_err("Invalid HEADER_CPU_DOMAIN_INFO: domain %d >= max_sched_domains (%d)\n",
+				       domain, max_sched_domains);
+				return -1;
+			}
+
 			d_info = zalloc(sizeof(*d_info));
 			if (!d_info)
 				return -1;