perf c2c: Bounds-check CPU IDs in setup_nodes() topology loop

setup_nodes() iterates CPU maps from the perf.data topology header and
uses cpu.cpu directly as an array index into cpu2node[] (allocated with
c2c.cpus_cnt = env->nr_cpus_avail entries) and __set_bit(cpu.cpu, set)
(bitmap also sized to c2c.cpus_cnt).

A crafted perf.data with topology CPU IDs exceeding nr_cpus_avail causes
out-of-bounds heap writes into both the cpu2node array and the per-node
bitmap.

Add a bounds check to skip CPU IDs that fall outside the valid range.

Fixes: 1e181b92a2da ("perf c2c report: Add 'node' sort key")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
index f060dfbe11c285bfc6d7a897075204049e77f160..cfc1ebe8c0af74dc2a4c891170680480accda2fd 100644 (file)
--- a/tools/perf/builtin-c2c.c
+++ b/tools/perf/builtin-c2c.c
@@ -2371,6 +2371,10 @@ static int setup_nodes(struct perf_session *session)
                nodes[node] = set;
 
                perf_cpu_map__for_each_cpu_skip_any(cpu, idx, map) {
+                       /* topology CPU IDs from perf.data may exceed nr_cpus_avail */
+                       if (cpu.cpu < 0 || cpu.cpu >= c2c.cpus_cnt)
+                               continue;
+
                        __set_bit(cpu.cpu, set);
 
                        if (WARN_ONCE(cpu2node[cpu.cpu] != -1, "node/cpu topology bug"))