symbol-minimal.c's read_build_id() iterates ELF notes with the same
pattern as symbol-elf.c's elf_read_build_id(): pointer arithmetic
driven by n_namesz and n_descsz from 32-bit note header fields,
without validating that the name and desc fit within the note section
data. A malformed ELF file with oversized note sizes causes
out-of-bounds reads past the section data buffer.
Add the same bounds check as the libelf path: validate namesz and
descsz individually against remaining data before advancing the
pointer, avoiding size_t overflow on 32-bit.
Fixes: b691f64360ecec49 ("perf symbols: Implement poor man's ELF parser")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+#include "debug.h"
#include "dso.h"
#include "symbol.h"
#include "symsrc.h"
ptr = note_data;
while ((ptr + sizeof(*nhdr)) < (note_data + note_len)) {
const char *name;
- size_t namesz, descsz;
+ size_t namesz, descsz, remaining;
nhdr = ptr;
if (need_swap) {
namesz = NOTE_ALIGN(nhdr->n_namesz);
descsz = NOTE_ALIGN(nhdr->n_descsz);
+ /* validate individually to avoid size_t overflow on 32-bit */
+ remaining = note_data + note_len - ptr - sizeof(*nhdr);
+ if (namesz > remaining || descsz > remaining - namesz) {
+ pr_warning("%s: oversized note: n_namesz=%u, n_descsz=%u\n",
+ __func__, nhdr->n_namesz, nhdr->n_descsz);
+ break;
+ }
+
ptr += sizeof(*nhdr);
name = ptr;
ptr += namesz;
projects / thirdparty / kernel / linux.git / commitdiff
