]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a0e4362)
perf symbols: Add bounds checks to elf_read_build_id() note iteration
authorArnaldo Carvalho de Melo <acme@redhat.com>
Mon, 8 Jun 2026 11:12:34 +0000 (08:12 -0300)
committerArnaldo Carvalho de Melo <acme@redhat.com>
Wed, 10 Jun 2026 21:56:02 +0000 (18:56 -0300)
elf_read_build_id() iterates ELF notes using pointer arithmetic
driven by n_namesz and n_descsz from the note headers.  Neither
the note header read nor the subsequent name/desc advances are
checked against the section boundary.  A malformed ELF file with
oversized note sizes causes out-of-bounds reads past the section
data buffer.

Add two bounds checks: verify the note header fits within the
remaining section data, and verify that namesz + descsz (after
alignment) fits before advancing the pointer.

Fixes: fd7a346ea292074e ("perf symbols: Filename__read_build_id should look at .notes section too")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
tools/perf/util/symbol-elf.c patch | blob | blame | history

diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index 10902a5dc6dbe6ccb26c6815caa78330ffe4ea8e..d84e2e031d430cf523c905164da15db02f36781a 100644 (file)
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -835,10 +835,24 @@ static int elf_read_build_id(Elf *elf, void *bf, size_t size)
        ptr = data->d_buf;
        while (ptr < (data->d_buf + data->d_size)) {
                GElf_Nhdr *nhdr = ptr;
-               size_t namesz = NOTE_ALIGN(nhdr->n_namesz),
-                      descsz = NOTE_ALIGN(nhdr->n_descsz);
+               size_t namesz, descsz, remaining;
                const char *name;
 
+               /* ensure the note header fits within the section */
+               if (ptr + sizeof(*nhdr) > data->d_buf + data->d_size)
+                       break;
+
+               namesz = NOTE_ALIGN(nhdr->n_namesz);
+               descsz = NOTE_ALIGN(nhdr->n_descsz);
+
+               /* validate individually to avoid size_t overflow on 32-bit */
+               remaining = data->d_buf + data->d_size - ptr - sizeof(*nhdr);
+               if (namesz > remaining || descsz > remaining - namesz) {
+                       pr_warning("%s: oversized note: n_namesz=%u, n_descsz=%u\n",
+                                  __func__, nhdr->n_namesz, nhdr->n_descsz);
+                       break;
+               }
+
                ptr += sizeof(*nhdr);
                name = ptr;
                ptr += namesz;
A mirror of Linus' kernel repository