Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
perf header: Sanity check HEADER_BPF_PROG_INFO
Add validation to process_bpf_prog_info() to harden against malformed
perf.data files:
- Upper bound on BPF program count (max 131072)
- Upper bound on per-program data_len (max 256MB)
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
authored by
Arnaldo Carvalho de Melo
and committed by
Namhyung Kim
66af7e9b
f5722a6b
+20
+20
tools/perf/util/header.c
+20
tools/perf/util/header.c
···
63
63
#include <event-parse.h>
64
64
#endif
65
65
66
+
#define MAX_BPF_DATA_LEN (256 * 1024 * 1024)
67
+
#define MAX_BPF_PROGS 131072
66
68
#define MAX_CACHE_ENTRIES 32768
67
69
#define MAX_GROUP_DESC 32768
68
70
#define MAX_NUMA_NODES 4096
···
3527
3525
if (do_read_u32(ff, &count))
3528
3526
return -1;
3529
3527
3528
+
if (count > MAX_BPF_PROGS) {
3529
+
pr_err("Invalid HEADER_BPF_PROG_INFO: count (%u) > %u\n",
3530
+
count, MAX_BPF_PROGS);
3531
+
return -1;
3532
+
}
3533
+
3534
+
if (ff->size < sizeof(u32) + count * (2 * sizeof(u32) + sizeof(u64))) {
3535
+
pr_err("Invalid HEADER_BPF_PROG_INFO: section too small (%zu) for %u entries\n",
3536
+
ff->size, count);
3537
+
return -1;
3538
+
}
3539
+
3530
3540
down_write(&env->bpf_progs.lock);
3531
3541
3532
3542
for (i = 0; i < count; ++i) {
···
3553
3539
3554
3540
if (info_len > sizeof(struct bpf_prog_info)) {
3555
3541
pr_warning("detected invalid bpf_prog_info\n");
3542
+
goto out;
3543
+
}
3544
+
3545
+
if (data_len > MAX_BPF_DATA_LEN) {
3546
+
pr_warning("Invalid HEADER_BPF_PROG_INFO: data_len (%u) too large\n",
3547
+
data_len);
3556
3548
goto out;
3557
3549
}
3558
3550