Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
perf header: Sanity check HEADER_GROUP_DESC
Add upper bound check on nr_groups in process_group_desc() to harden
against malformed perf.data files (max 32768), and move the env
assignment after validation.
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
authored by
Arnaldo Carvalho de Melo
and committed by
Namhyung Kim
6830e20c
f613a6d6
+15
-1
+15
-1
tools/perf/util/header.c
+15
-1
tools/perf/util/header.c
···
63
63
#include <event-parse.h>
64
64
#endif
65
65
66
+
#define MAX_GROUP_DESC 32768
66
67
#define MAX_NUMA_NODES 4096
67
68
#define MAX_PMU_MAPPINGS 4096
68
69
#define MAX_SCHED_DOMAINS 64
···
3133
3132
if (do_read_u32(ff, &nr_groups))
3134
3133
return -1;
3135
3134
3136
-
env->nr_groups = nr_groups;
3137
3135
if (!nr_groups) {
3138
3136
pr_debug("group desc not available\n");
3139
3137
return 0;
3140
3138
}
3139
+
3140
+
if (nr_groups > MAX_GROUP_DESC) {
3141
+
pr_err("Invalid HEADER_GROUP_DESC: nr_groups (%u) > %u\n",
3142
+
nr_groups, MAX_GROUP_DESC);
3143
+
return -1;
3144
+
}
3145
+
3146
+
if (ff->size < sizeof(u32) + nr_groups * 3 * sizeof(u32)) {
3147
+
pr_err("Invalid HEADER_GROUP_DESC: section too small (%zu) for %u groups\n",
3148
+
ff->size, nr_groups);
3149
+
return -1;
3150
+
}
3151
+
3152
+
env->nr_groups = nr_groups;
3141
3153
3142
3154
desc = calloc(nr_groups, sizeof(*desc));
3143
3155
if (!desc)