tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

perf header: Sanity check HEADER_CPU_TOPOLOGY

Add validation to process_cpu_topology() to harden against malformed
perf.data files:

- Verify nr_cpus_avail was initialized (HEADER_NRCPUS processed first)
- Bounds check sibling counts (cores, threads, dies) against nr_cpus_avail
- Fix two bare 'return -1' that leaked env->cpu by using 'goto free_cpu'

Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>

authored by

Arnaldo Carvalho de Melo and committed by
Namhyung Kim 22a2e2b2 376ce5a9

+25 -2
+25 -2
tools/perf/util/header.c
··· 2861 2861 int cpu_nr = env->nr_cpus_avail; 2862 2862 u64 size = 0; 2863 2863 2864 + if (cpu_nr == 0) { 2865 + pr_err("Invalid HEADER_CPU_TOPOLOGY: missing HEADER_NRCPUS\n"); 2866 + return -1; 2867 + } 2868 + 2864 2869 env->cpu = calloc(cpu_nr, sizeof(*env->cpu)); 2865 2870 if (!env->cpu) 2866 2871 return -1; 2867 2872 2868 2873 if (do_read_u32(ff, &nr)) 2869 2874 goto free_cpu; 2875 + 2876 + if (nr > (u32)cpu_nr) { 2877 + pr_err("Invalid HEADER_CPU_TOPOLOGY: nr_sibling_cores (%u) > nr_cpus_avail (%d)\n", 2878 + nr, cpu_nr); 2879 + goto free_cpu; 2880 + } 2870 2881 2871 2882 env->nr_sibling_cores = nr; 2872 2883 size += sizeof(u32); ··· 2898 2887 env->sibling_cores = strbuf_detach(&sb, NULL); 2899 2888 2900 2889 if (do_read_u32(ff, &nr)) 2901 - return -1; 2890 + goto free_cpu; 2891 + 2892 + if (nr > (u32)cpu_nr) { 2893 + pr_err("Invalid HEADER_CPU_TOPOLOGY: nr_sibling_threads (%u) > nr_cpus_avail (%d)\n", 2894 + nr, cpu_nr); 2895 + goto free_cpu; 2896 + } 2902 2897 2903 2898 env->nr_sibling_threads = nr; 2904 2899 size += sizeof(u32); ··· 2953 2936 return 0; 2954 2937 2955 2938 if (do_read_u32(ff, &nr)) 2956 - return -1; 2939 + goto free_cpu; 2940 + 2941 + if (nr > (u32)cpu_nr) { 2942 + pr_err("Invalid HEADER_CPU_TOPOLOGY: nr_sibling_dies (%u) > nr_cpus_avail (%d)\n", 2943 + nr, cpu_nr); 2944 + goto free_cpu; 2945 + } 2957 2946 2958 2947 env->nr_sibling_dies = nr; 2959 2948 size += sizeof(u32);