Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
perf header: Sanity check HEADER_CACHE
Add upper bound check on cache entry count in process_cache() to harden
against malformed perf.data files (max 32768).
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
authored by
Arnaldo Carvalho de Melo
and committed by
Namhyung Kim
110a6617
6830e20c
+13
+13
tools/perf/util/header.c
+13
tools/perf/util/header.c
···
63
63
#include <event-parse.h>
64
64
#endif
65
65
66
+
#define MAX_CACHE_ENTRIES 32768
66
67
#define MAX_GROUP_DESC 32768
67
68
#define MAX_NUMA_NODES 4096
68
69
#define MAX_PMU_MAPPINGS 4096
···
3243
3242
3244
3243
if (do_read_u32(ff, &cnt))
3245
3244
return -1;
3245
+
3246
+
if (cnt > MAX_CACHE_ENTRIES) {
3247
+
pr_err("Invalid HEADER_CACHE: cnt (%u) > %u\n",
3248
+
cnt, MAX_CACHE_ENTRIES);
3249
+
return -1;
3250
+
}
3251
+
3252
+
if (ff->size < 2 * sizeof(u32) + cnt * 7 * sizeof(u32)) {
3253
+
pr_err("Invalid HEADER_CACHE: section too small (%zu) for %u entries\n",
3254
+
ff->size, cnt);
3255
+
return -1;
3256
+
}
3246
3257
3247
3258
caches = calloc(cnt, sizeof(*caches));
3248
3259
if (!caches)