From: SeungJu Cheon <suunj1331@gmail.com>
To: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
namhyung@kernel.org
Cc: mark.rutland@arm.com, alexander.shishkin@linux.intel.com,
jolsa@kernel.org, irogers@google.com, adrian.hunter@intel.com,
brcampbell@google.com, shuah@kernel.org,
linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org,
SeungJu Cheon <suunj1331@gmail.com>
Subject: [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow
Date: Thu, 2 Apr 2026 06:53:10 +0900 [thread overview]
Message-ID: <20260401215310.348463-1-suunj1331@gmail.com> (raw)
The build_id parsing functions calculate a filename length from the
event header size and read directly into a stack buffer of PATH_MAX
bytes without bounds checking. A malformed perf.data file with a
crafted header.size can cause the length to be negative or exceed
PATH_MAX, resulting in a stack buffer overflow.
Add bounds checking for the filename length in both
perf_header__read_build_ids() and the ABI quirk variant. Print a
warning message when invalid length is detected.
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
---
v2:
- Add warning message when invalid filename length detected
---
| 10 ++++++++++
1 file changed, 10 insertions(+)
--git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 9142a8ba4019..132d360d716a 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -2545,6 +2545,11 @@ static int perf_header__read_build_ids_abi_quirk(struct perf_header *header,
perf_event_header__bswap(&old_bev.header);
len = old_bev.header.size - sizeof(old_bev);
+ if (len < 0 || len >= PATH_MAX) {
+ pr_warning("invalid build_id filename length %d\n", len);
+ return -1;
+ }
+
if (readn(input, filename, len) != len)
return -1;
@@ -2587,6 +2592,11 @@ static int perf_header__read_build_ids(struct perf_header *header,
perf_event_header__bswap(&bev.header);
len = bev.header.size - sizeof(bev);
+ if (len < 0 || len >= PATH_MAX) {
+ pr_warning("invalid build_id filename length %d\n", len);
+ goto out;
+ }
+
if (readn(input, filename, len) != len)
goto out;
/*
--
2.52.0
next reply other threads:[~2026-04-01 21:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-01 21:53 SeungJu Cheon [this message]
2026-04-01 22:12 ` [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow Ian Rogers
2026-04-02 15:33 ` Ian Rogers
2026-04-02 17:59 ` Namhyung Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260401215310.348463-1-suunj1331@gmail.com \
--to=suunj1331@gmail.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=brcampbell@google.com \
--cc=irogers@google.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox