From: Arnaldo Carvalho de Melo Date: Mon, 8 Jun 2026 01:37:55 +0000 (-0300) Subject: perf tools: Fix thread__set_comm_from_proc() on empty comm file X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=31d596054550f793508abe7dd593853ece47d428;p=thirdparty%2Fkernel%2Flinux.git perf tools: Fix thread__set_comm_from_proc() on empty comm file thread__set_comm_from_proc() calls procfs__read_str() then strips the trailing newline via comm[sz - 1] = '\0'. procfs__read_str() allocates the buffer before reading, so on an empty /proc/pid/comm (reachable during late exit teardown) it returns success with sz = 0 and an unterminated heap buffer. The sz - 1 underflow was the original sashiko finding: it writes a null byte before the allocation. But even with a sz > 0 guard on the newline strip, the unterminated buffer would still be passed to thread__set_comm() which calls strlen() — an unbounded heap read. Fix by treating sz == 0 as failure: free the buffer and return -1. This is consistent with pmu.c's perf_pmu__parse_scale/unit which already treat len == 0 from filename__read_str as an error. Fixes: 2f3027ac28bf6bc3 ("perf thread: Introduce method to set comm from /proc/pid/self") Reported-by: sashiko-bot Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo --- diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c index ba33c0dfc18fe..e483ffcb5d937 100644 --- a/tools/perf/util/thread.c +++ b/tools/perf/util/thread.c @@ -295,6 +295,11 @@ int thread__set_comm_from_proc(struct thread *thread) if (!(snprintf(path, sizeof(path), "%d/task/%d/comm", thread__pid(thread), thread__tid(thread)) >= (int)sizeof(path)) && procfs__read_str(path, &comm, &sz) == 0) { + /* sz==0: read got nothing, e.g. race during exit teardown */ + if (sz == 0) { + free(comm); + return -1; + } comm[sz - 1] = '\0'; err = thread__set_comm(thread, comm, 0); }