From: Arnaldo Carvalho de Melo <acme@redhat.com>
Date: Mon, 8 Jun 2026 00:01:43 +0000 (-0300)
Subject: perf pmu: Fix pmu_id() heap underwrite on empty identifier file
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=836455e6dbd34eb3d12eeab5e2d2b9a7f1512459;p=thirdparty%2Fkernel%2Flinux.git

perf pmu: Fix pmu_id() heap underwrite on empty identifier file

pmu_id() calls filename__read_str() then strips the trailing newline
via str[len - 1] = 0.  If the PMU identifier file is empty,
filename__read_str() succeeds with len = 0.  len - 1 underflows
size_t to SIZE_MAX, writing a null byte before the heap allocation.

Add a len == 0 check before the newline stripping.

Fixes: 51d548471510843e ("perf pmu: Add pmu_id()")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: John Garry <john.g.garry@oracle.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---

diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
index 1539960ba23b2..f588cce601941 100644
--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -865,6 +865,12 @@ static char *pmu_id(const char *name)
 	if (filename__read_str(path, &str, &len) < 0)
 		return NULL;
 
+	/* empty identifier file — nothing useful */
+	if (len == 0) {
+		free(str);
+		return NULL;
+	}
+
 	str[len - 1] = 0; /* remove line feed */
 
 	return str;