From: Arnaldo Carvalho de Melo Date: Mon, 8 Jun 2026 01:40:20 +0000 (-0300) Subject: perf symbols: Bounds-check descsz in sysfs__read_build_id() GNU fallback X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=1b4e9fbdeabc549965e70ac0cd8095d57ff6df06;p=thirdparty%2Fkernel%2Flinux.git perf symbols: Bounds-check descsz in sysfs__read_build_id() GNU fallback When sysfs__read_build_id() matches NT_GNU_BUILD_ID with the right namesz but the name content is not "GNU", it falls back to reading descsz bytes into the stack buffer bf[BUFSIZ]: } else if (read(fd, bf, descsz) != (ssize_t)descsz) Unlike the else branch which validates namesz + descsz against sizeof(bf), this path passes descsz directly to read() without any bounds check. A crafted sysfs file with a large n_descsz overflows the 8192-byte stack buffer. Add a descsz > sizeof(bf) check before the read, breaking out of the loop on oversized values. Fixes: e5a1845fc0aeca85 ("perf symbols: Split out util/symbol-elf.c") Reported-by: sashiko-bot Cc: Namhyung Kim Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo --- diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c index 36a0304707e13..06cfb84f86eb2 100644 --- a/tools/perf/util/symbol-elf.c +++ b/tools/perf/util/symbol-elf.c @@ -961,8 +961,13 @@ int sysfs__read_build_id(const char *filename, struct build_id *bid) err = 0; break; } - } else if (read(fd, bf, descsz) != (ssize_t)descsz) - break; + } else { + /* descsz from untrusted file — clamp to buffer */ + if (descsz > sizeof(bf)) + break; + if (read(fd, bf, descsz) != (ssize_t)descsz) + break; + } } else { size_t n;