* [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow
@ 2026-04-01 21:53 SeungJu Cheon
2026-04-01 22:12 ` Ian Rogers
2026-04-02 17:59 ` Namhyung Kim
0 siblings, 2 replies; 4+ messages in thread
From: SeungJu Cheon @ 2026-04-01 21:53 UTC (permalink / raw)
To: peterz, mingo, acme, namhyung
Cc: mark.rutland, alexander.shishkin, jolsa, irogers, adrian.hunter,
brcampbell, shuah, linux-perf-users, linux-kernel, SeungJu Cheon
The build_id parsing functions calculate a filename length from the
event header size and read directly into a stack buffer of PATH_MAX
bytes without bounds checking. A malformed perf.data file with a
crafted header.size can cause the length to be negative or exceed
PATH_MAX, resulting in a stack buffer overflow.
Add bounds checking for the filename length in both
perf_header__read_build_ids() and the ABI quirk variant. Print a
warning message when invalid length is detected.
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
---
v2:
- Add warning message when invalid filename length detected
---
| 10 ++++++++++
1 file changed, 10 insertions(+)
--git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 9142a8ba4019..132d360d716a 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -2545,6 +2545,11 @@ static int perf_header__read_build_ids_abi_quirk(struct perf_header *header,
perf_event_header__bswap(&old_bev.header);
len = old_bev.header.size - sizeof(old_bev);
+ if (len < 0 || len >= PATH_MAX) {
+ pr_warning("invalid build_id filename length %d\n", len);
+ return -1;
+ }
+
if (readn(input, filename, len) != len)
return -1;
@@ -2587,6 +2592,11 @@ static int perf_header__read_build_ids(struct perf_header *header,
perf_event_header__bswap(&bev.header);
len = bev.header.size - sizeof(bev);
+ if (len < 0 || len >= PATH_MAX) {
+ pr_warning("invalid build_id filename length %d\n", len);
+ goto out;
+ }
+
if (readn(input, filename, len) != len)
goto out;
/*
--
2.52.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow
2026-04-01 21:53 [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow SeungJu Cheon
@ 2026-04-01 22:12 ` Ian Rogers
2026-04-02 15:33 ` Ian Rogers
2026-04-02 17:59 ` Namhyung Kim
1 sibling, 1 reply; 4+ messages in thread
From: Ian Rogers @ 2026-04-01 22:12 UTC (permalink / raw)
To: SeungJu Cheon
Cc: peterz, mingo, acme, namhyung, mark.rutland, alexander.shishkin,
jolsa, adrian.hunter, brcampbell, shuah, linux-perf-users,
linux-kernel
On Wed, Apr 1, 2026 at 2:53 PM SeungJu Cheon <suunj1331@gmail.com> wrote:
>
> The build_id parsing functions calculate a filename length from the
> event header size and read directly into a stack buffer of PATH_MAX
> bytes without bounds checking. A malformed perf.data file with a
> crafted header.size can cause the length to be negative or exceed
> PATH_MAX, resulting in a stack buffer overflow.
>
> Add bounds checking for the filename length in both
> perf_header__read_build_ids() and the ABI quirk variant. Print a
> warning message when invalid length is detected.
>
> Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Thanks,
Ian
> ---
> v2:
> - Add warning message when invalid filename length detected
> ---
> tools/perf/util/header.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index 9142a8ba4019..132d360d716a 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
> @@ -2545,6 +2545,11 @@ static int perf_header__read_build_ids_abi_quirk(struct perf_header *header,
> perf_event_header__bswap(&old_bev.header);
>
> len = old_bev.header.size - sizeof(old_bev);
> + if (len < 0 || len >= PATH_MAX) {
> + pr_warning("invalid build_id filename length %d\n", len);
> + return -1;
> + }
> +
> if (readn(input, filename, len) != len)
> return -1;
>
> @@ -2587,6 +2592,11 @@ static int perf_header__read_build_ids(struct perf_header *header,
> perf_event_header__bswap(&bev.header);
>
> len = bev.header.size - sizeof(bev);
> + if (len < 0 || len >= PATH_MAX) {
> + pr_warning("invalid build_id filename length %d\n", len);
> + goto out;
> + }
> +
> if (readn(input, filename, len) != len)
> goto out;
> /*
> --
> 2.52.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow
2026-04-01 22:12 ` Ian Rogers
@ 2026-04-02 15:33 ` Ian Rogers
0 siblings, 0 replies; 4+ messages in thread
From: Ian Rogers @ 2026-04-02 15:33 UTC (permalink / raw)
To: SeungJu Cheon
Cc: peterz, mingo, acme, namhyung, mark.rutland, alexander.shishkin,
jolsa, adrian.hunter, brcampbell, shuah, linux-perf-users,
linux-kernel
On Wed, Apr 1, 2026 at 3:12 PM Ian Rogers <irogers@google.com> wrote:
>
> On Wed, Apr 1, 2026 at 2:53 PM SeungJu Cheon <suunj1331@gmail.com> wrote:
> >
> > The build_id parsing functions calculate a filename length from the
> > event header size and read directly into a stack buffer of PATH_MAX
> > bytes without bounds checking. A malformed perf.data file with a
> > crafted header.size can cause the length to be negative or exceed
> > PATH_MAX, resulting in a stack buffer overflow.
> >
> > Add bounds checking for the filename length in both
> > perf_header__read_build_ids() and the ABI quirk variant. Print a
> > warning message when invalid length is detected.
> >
> > Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
>
> Reviewed-by: Ian Rogers <irogers@google.com>
Sashiko spotted some additional nits:
https://sashiko.dev/#/patchset/20260401215310.348463-1-suunj1331%40gmail.com
printf flags, potential for no '\0' termination and reads of
uninitialized memory.
Thanks,
Ian
> Thanks,
> Ian
>
> > ---
> > v2:
> > - Add warning message when invalid filename length detected
> > ---
> > tools/perf/util/header.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> > index 9142a8ba4019..132d360d716a 100644
> > --- a/tools/perf/util/header.c
> > +++ b/tools/perf/util/header.c
> > @@ -2545,6 +2545,11 @@ static int perf_header__read_build_ids_abi_quirk(struct perf_header *header,
> > perf_event_header__bswap(&old_bev.header);
> >
> > len = old_bev.header.size - sizeof(old_bev);
> > + if (len < 0 || len >= PATH_MAX) {
> > + pr_warning("invalid build_id filename length %d\n", len);
> > + return -1;
> > + }
> > +
> > if (readn(input, filename, len) != len)
> > return -1;
> >
> > @@ -2587,6 +2592,11 @@ static int perf_header__read_build_ids(struct perf_header *header,
> > perf_event_header__bswap(&bev.header);
> >
> > len = bev.header.size - sizeof(bev);
> > + if (len < 0 || len >= PATH_MAX) {
> > + pr_warning("invalid build_id filename length %d\n", len);
> > + goto out;
> > + }
> > +
> > if (readn(input, filename, len) != len)
> > goto out;
> > /*
> > --
> > 2.52.0
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow
2026-04-01 21:53 [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow SeungJu Cheon
2026-04-01 22:12 ` Ian Rogers
@ 2026-04-02 17:59 ` Namhyung Kim
1 sibling, 0 replies; 4+ messages in thread
From: Namhyung Kim @ 2026-04-02 17:59 UTC (permalink / raw)
To: SeungJu Cheon
Cc: peterz, mingo, acme, mark.rutland, alexander.shishkin, jolsa,
irogers, adrian.hunter, brcampbell, shuah, linux-perf-users,
linux-kernel
Hello,
On Thu, Apr 02, 2026 at 06:53:10AM +0900, SeungJu Cheon wrote:
> The build_id parsing functions calculate a filename length from the
> event header size and read directly into a stack buffer of PATH_MAX
> bytes without bounds checking. A malformed perf.data file with a
> crafted header.size can cause the length to be negative or exceed
> PATH_MAX, resulting in a stack buffer overflow.
>
> Add bounds checking for the filename length in both
> perf_header__read_build_ids() and the ABI quirk variant. Print a
> warning message when invalid length is detected.
>
> Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
> ---
> v2:
> - Add warning message when invalid filename length detected
> ---
> tools/perf/util/header.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index 9142a8ba4019..132d360d716a 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
> @@ -2545,6 +2545,11 @@ static int perf_header__read_build_ids_abi_quirk(struct perf_header *header,
> perf_event_header__bswap(&old_bev.header);
>
> len = old_bev.header.size - sizeof(old_bev);
> + if (len < 0 || len >= PATH_MAX) {
> + pr_warning("invalid build_id filename length %d\n", len);
> + return -1;
I got this errors:
In file included from util/header.c:38:
util/header.c: In function 'perf_header__read_build_ids_abi_quirk':
util/header.c:2549:36: error: format '%d' expects argument of type 'int', but argument 4 has type 'ssize_t' {aka 'long int'} [-Werror=format
=]
2549 | pr_warning("invalid build_id filename length %d\n", len);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util/debug.h:20:21: note: in definition of macro 'pr_fmt'
20 | #define pr_fmt(fmt) fmt
| ^~~
util/header.c:2549:25: note: in expansion of macro 'pr_warning'
2549 | pr_warning("invalid build_id filename length %d\n", len);
| ^~~~~~~~~~
util/header.c:2549:71: note: format string is defined here
2549 | pr_warning("invalid build_id filename length %d\n", len);
| ~^
| |
| int
| %ld
Please make sure it builds before sending patches. Hopefully we can run
perf test before and after your changes to see if there's anything
broken.
I'll fix it up this time.
Thanks,
Namhyung
> + }
> +
> if (readn(input, filename, len) != len)
> return -1;
>
> @@ -2587,6 +2592,11 @@ static int perf_header__read_build_ids(struct perf_header *header,
> perf_event_header__bswap(&bev.header);
>
> len = bev.header.size - sizeof(bev);
> + if (len < 0 || len >= PATH_MAX) {
> + pr_warning("invalid build_id filename length %d\n", len);
> + goto out;
> + }
> +
> if (readn(input, filename, len) != len)
> goto out;
> /*
> --
> 2.52.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-02 17:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-01 21:53 [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow SeungJu Cheon
2026-04-01 22:12 ` Ian Rogers
2026-04-02 15:33 ` Ian Rogers
2026-04-02 17:59 ` Namhyung Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox