Commit f5722a6b authored by Arnaldo Carvalho de Melo's avatar Arnaldo Carvalho de Melo Committed by Namhyung Kim
Browse files

perf header: Sanity check HEADER_PMU_CAPS 



Add upper bound checks in PMU capabilities processing to harden against
malformed perf.data files:

- nr_pmu bounded to MAX_PMU_MAPPINGS (4096) in process_pmu_caps()
- nr_pmu_caps bounded to MAX_PMU_CAPS (512) in __process_pmu_caps()

Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Ian Rogers <irogers@google.com>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: default avatarNamhyung Kim <namhyung@kernel.org>
parent 47c68eb1

tools/perf/util/header.c

+19 −0
Original line number Diff line number Diff line
@@ -66,6 +66,7 @@ 
#define MAX_CACHE_ENTRIES	32768

#define MAX_GROUP_DESC		32768

#define MAX_NUMA_NODES		4096

#define MAX_PMU_CAPS		512

#define MAX_PMU_MAPPINGS	4096

#define MAX_SCHED_DOMAINS	64
@@ -3677,6 +3678,12 @@ static int __process_pmu_caps(struct feat_fd *ff, int *nr_caps, 
	if (!nr_pmu_caps)

		return 0;



	if (nr_pmu_caps > MAX_PMU_CAPS) {

		pr_err("Invalid pmu caps: nr_pmu_caps (%u) > %u\n",

		       nr_pmu_caps, MAX_PMU_CAPS);

		return -1;

	}



	*caps = calloc(nr_pmu_caps, sizeof(char *));

	if (!*caps)

		return -1;
@@ -3754,6 +3761,18 @@ static int process_pmu_caps(struct feat_fd *ff, void *data __maybe_unused) 
		return 0;

	}



	if (nr_pmu > MAX_PMU_MAPPINGS) {

		pr_err("Invalid HEADER_PMU_CAPS: nr_pmu (%u) > %u\n",

		       nr_pmu, MAX_PMU_MAPPINGS);

		return -1;

	}



	if (ff->size < sizeof(u32) + nr_pmu * sizeof(u32)) {

		pr_err("Invalid HEADER_PMU_CAPS: section too small (%zu) for %u PMUs\n",

		       ff->size, nr_pmu);

		return -1;

	}



	pmu_caps = calloc(nr_pmu, sizeof(*pmu_caps));

	if (!pmu_caps)

		return -ENOMEM;