From: sashiko-bot@kernel.org
To: "Arnaldo Carvalho de Melo" <acme@kernel.org>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 02/13] perf header: Bump up the max number of command line args allowed
Date: Fri, 10 Apr 2026 01:08:55 +0000 [thread overview]
Message-ID: <20260410010856.18522C2BC87@smtp.kernel.org> (raw)
In-Reply-To: <20260410004000.148138-3-acme@kernel.org>
Sashiko AI review found 1 potential issue(s):
- [High] Heap buffer overflow in `process_cmdline` due to unbounded file reads into an undersized allocation.
--
commit 3f19c967de1b22045b10b4bbef5f04c6e3827352
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
perf header: Bump up the max number of command line args allowed
This commit increases the upper limit validation for command line
arguments from 32,768 to 1,048,576 to accommodate large wildcard expansions.
Link: https://sashiko.dev/#/patchset/20260408172846.96360-1-acme%40kernel.org
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index a2796b72adc4d..22c44b6f0b098 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
> @@ -2795,8 +2795,11 @@ process_event_desc(struct feat_fd *ff, void *data __maybe_unused)
> return 0;
> }
>
> -// Some reasonable arbitrary max for the number of command line arguments
> -#define MAX_CMDLINE_NR 32768
> +/*
> + * Some arbitrary max for the number of command line arguments,
> + * Wildcards can expand and end up with tons of command line args.
> + */
> +#define MAX_CMDLINE_NR 1048576
While this patch doesn't introduce the underlying issue, does bumping
this limit exacerbate a regression involving a heap buffer overflow in
process_cmdline?
Currently, process_cmdline allocates the buffer based on ff->size:
cmdline = zalloc(ff->size + nr + 1);
When parsing directly from the file descriptor, do_read_string uses
__do_read_fd, which reads lengths and string data from the file without
capping the total bytes read to ff->size.
If a maliciously crafted perf.data file provides a small ff->size but
supplies arbitrarily large strings in the payload, could do_read_string
read them successfully, causing the subsequent memcpy loop to overflow
the cmdline allocation?
Additionally, since do_read_string lacks null-termination enforcement,
if a string is provided without a null byte, could strlen perform an
out-of-bounds heap over-read, further inflating the length of the string
being copied?
> static int process_cmdline(struct feat_fd *ff, void *data __maybe_unused)
> {
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260410004000.148138-1-acme@kernel.org?part=2
next prev parent reply other threads:[~2026-04-10 1:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 0:39 [PATCHES perf-tools-next v1 00/13] Sanity check perf.data headers Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 01/13] perf header: Validate nr_domains when reading HEADER_CPU_DOMAIN_INFO Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 02/13] perf header: Bump up the max number of command line args allowed Arnaldo Carvalho de Melo
2026-04-10 1:08 ` sashiko-bot [this message]
2026-04-10 0:39 ` [PATCH 03/13] perf header: Sanity check HEADER_NRCPUS and HEADER_CPU_DOMAIN_INFO Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 04/13] perf header: Sanity check HEADER_CPU_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 1:14 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 05/13] perf header: Sanity check HEADER_NUMA_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 1:04 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 06/13] perf header: Sanity check HEADER_MEM_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 1:04 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 07/13] perf header: Sanity check HEADER_PMU_MAPPINGS Arnaldo Carvalho de Melo
2026-04-10 1:10 ` sashiko-bot
2026-04-10 0:39 ` [PATCH 08/13] perf header: Sanity check HEADER_GROUP_DESC Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 09/13] perf header: Sanity check HEADER_CACHE Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 10/13] perf header: Sanity check HEADER_HYBRID_TOPOLOGY Arnaldo Carvalho de Melo
2026-04-10 0:58 ` sashiko-bot
2026-04-10 1:01 ` Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 11/13] perf header: Sanity check HEADER_PMU_CAPS Arnaldo Carvalho de Melo
2026-04-10 0:39 ` [PATCH 12/13] perf header: Sanity check HEADER_BPF_PROG_INFO Arnaldo Carvalho de Melo
2026-04-10 0:40 ` [PATCH 13/13] perf header: Add sanity checks to HEADER_BPF_BTF processing Arnaldo Carvalho de Melo
2026-04-10 1:30 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260410010856.18522C2BC87@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=acme@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox