tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

perf header: Add sanity checks to HEADER_BPF_BTF processing

Validate the BTF entry count and individual data sizes when reading
HEADER_BPF_BTF from perf.data files to prevent excessive memory
allocation from malformed files.

Reuses the MAX_BPF_PROGS (131072) and MAX_BPF_DATA_LEN (256 MB)
limits from HEADER_BPF_PROG_INFO processing.

Cc: Song Liu <song@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>

authored by

Arnaldo Carvalho de Melo and committed by
Namhyung Kim dff56bda 66af7e9b

+17
+17
tools/perf/util/header.c
··· 3622 3622 if (do_read_u32(ff, &count)) 3623 3623 return -1; 3624 3624 3625 + if (count > MAX_BPF_PROGS) { 3626 + pr_err("bpf btf count %u too large (max %u)\n", count, MAX_BPF_PROGS); 3627 + return -1; 3628 + } 3629 + 3630 + if (ff->size < sizeof(u32) + count * 2 * sizeof(u32)) { 3631 + pr_err("Invalid HEADER_BPF_BTF: section too small (%zu) for %u entries\n", 3632 + ff->size, count); 3633 + return -1; 3634 + } 3635 + 3625 3636 down_write(&env->bpf_progs.lock); 3626 3637 3627 3638 for (i = 0; i < count; ++i) { ··· 3642 3631 goto out; 3643 3632 if (do_read_u32(ff, &data_size)) 3644 3633 goto out; 3634 + 3635 + if (data_size > MAX_BPF_DATA_LEN) { 3636 + pr_err("bpf btf data size %u too large (max %u)\n", 3637 + data_size, MAX_BPF_DATA_LEN); 3638 + goto out; 3639 + } 3645 3640 3646 3641 node = malloc(sizeof(struct btf_node) + data_size); 3647 3642 if (!node)