From: Arnaldo Carvalho de Melo Date: Fri, 10 Apr 2026 22:09:03 +0000 (-0300) Subject: perf header: Sanity check HEADER_PMU_CAPS X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f5722a6b6a443fd56ce0a71b4be4c75d7a857dbe;p=thirdparty%2Fkernel%2Flinux.git perf header: Sanity check HEADER_PMU_CAPS Add upper bound checks in PMU capabilities processing to harden against malformed perf.data files: - nr_pmu bounded to MAX_PMU_MAPPINGS (4096) in process_pmu_caps() - nr_pmu_caps bounded to MAX_PMU_CAPS (512) in __process_pmu_caps() Cc: Ravi Bangoria Cc: Ian Rogers Assisted-by: Claude Code:claude-opus-4-6 Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Namhyung Kim --- diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c index a609fc7d959fa..37c1afbc08167 100644 --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -66,6 +66,7 @@ #define MAX_CACHE_ENTRIES 32768 #define MAX_GROUP_DESC 32768 #define MAX_NUMA_NODES 4096 +#define MAX_PMU_CAPS 512 #define MAX_PMU_MAPPINGS 4096 #define MAX_SCHED_DOMAINS 64 @@ -3677,6 +3678,12 @@ static int __process_pmu_caps(struct feat_fd *ff, int *nr_caps, if (!nr_pmu_caps) return 0; + if (nr_pmu_caps > MAX_PMU_CAPS) { + pr_err("Invalid pmu caps: nr_pmu_caps (%u) > %u\n", + nr_pmu_caps, MAX_PMU_CAPS); + return -1; + } + *caps = calloc(nr_pmu_caps, sizeof(char *)); if (!*caps) return -1; @@ -3754,6 +3761,18 @@ static int process_pmu_caps(struct feat_fd *ff, void *data __maybe_unused) return 0; } + if (nr_pmu > MAX_PMU_MAPPINGS) { + pr_err("Invalid HEADER_PMU_CAPS: nr_pmu (%u) > %u\n", + nr_pmu, MAX_PMU_MAPPINGS); + return -1; + } + + if (ff->size < sizeof(u32) + nr_pmu * sizeof(u32)) { + pr_err("Invalid HEADER_PMU_CAPS: section too small (%zu) for %u PMUs\n", + ff->size, nr_pmu); + return -1; + } + pmu_caps = calloc(nr_pmu, sizeof(*pmu_caps)); if (!pmu_caps) return -ENOMEM;