perf pmu: Fix pmu_id() heap underwrite on empty identifier file

pmu_id() calls filename__read_str() then strips the trailing newline
via str[len - 1] = 0.  If the PMU identifier file is empty,
filename__read_str() succeeds with len = 0.  len - 1 underflows
size_t to SIZE_MAX, writing a null byte before the heap allocation.

Add a len == 0 check before the newline stripping.

Fixes: 51d548471510843e ("perf pmu: Add pmu_id()")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: John Garry <john.g.garry@oracle.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
index 1539960ba23b201b120f847c426c30144cefe255..f588cce601941a2270ac55e17d91806792978c1e 100644 (file)
--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -865,6 +865,12 @@ static char *pmu_id(const char *name)
        if (filename__read_str(path, &str, &len) < 0)
                return NULL;
 
+       /* empty identifier file — nothing useful */
+       if (len == 0) {
+               free(str);
+               return NULL;
+       }
+
        str[len - 1] = 0; /* remove line feed */
 
        return str;