From: Arnaldo Carvalho de Melo <acme@kernel.org>
To: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
James Clark <james.clark@linaro.org>,
Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Clark Williams <williams@redhat.com>,
linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
Arnaldo Carvalho de Melo <acme@redhat.com>,
sashiko-bot@kernel.org,
"Claude Opus 4.6 (1M context)" <noreply@anthropic.com>
Subject: [PATCH 24/27] perf session: Check for decompression buffer size overflow
Date: Wed, 20 May 2026 22:10:09 -0300 [thread overview]
Message-ID: <20260521011027.622268-25-acme@kernel.org> (raw)
In-Reply-To: <20260521011027.622268-1-acme@kernel.org>
From: Arnaldo Carvalho de Melo <acme@redhat.com>
On 32-bit systems, sizeof(struct decomp) + decomp_len can wrap
size_t when comp_mmap_len is large. The preceding patch caps
comp_mmap_len at ~2 GB, which bounds individual values, but two
additions can still overflow:
1. decomp_len += decomp_last_rem: on 32-bit, adding a u64 to
size_t silently truncates, producing a corrupted decomp_len
that would bypass the subsequent overflow check and result
in an undersized buffer allocation.
2. sizeof(struct decomp) + decomp_len: even with the cap, the
final addition could overflow on systems with small size_t.
Add explicit overflow checks before each addition as
defense-in-depth.
Reported-by: sashiko-bot@kernel.org # Running on a local machine
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
tools/perf/util/tool.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tools/perf/util/tool.c b/tools/perf/util/tool.c
index 18641919473a859f..25c9b378aa163664 100644
--- a/tools/perf/util/tool.c
+++ b/tools/perf/util/tool.c
@@ -34,9 +34,22 @@ static int perf_session__process_compressed_event(const struct perf_tool *tool _
if (decomp_last->head > decomp_last->size)
return -1;
decomp_last_rem = decomp_last->size - decomp_last->head;
+ /*
+ * Check before adding: on 32-bit, size_t += u64
+ * silently truncates, bypassing the overflow check
+ * below and producing an undersized buffer.
+ */
+ if (decomp_last_rem > SIZE_MAX - decomp_len - sizeof(struct decomp)) {
+ pr_err("Decompression buffer size overflow\n");
+ return -1;
+ }
decomp_len += decomp_last_rem;
}
+ if (decomp_len > SIZE_MAX - sizeof(struct decomp)) {
+ pr_err("Decompression buffer size overflow\n");
+ return -1;
+ }
mmap_len = sizeof(struct decomp) + decomp_len;
decomp = mmap(NULL, mmap_len, PROT_READ|PROT_WRITE,
MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
--
2.54.0
next prev parent reply other threads:[~2026-05-21 1:12 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 1:09 [PATCHES 00/27] perf.data validation and hardening Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 01/27] perf session: Add minimum event size and alignment validation Arnaldo Carvalho de Melo
2026-05-21 1:59 ` sashiko-bot
2026-05-21 13:01 ` Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 02/27] perf tools: Fix event_contains() macro to verify full field extent Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 03/27] perf zstd: Fix compression error path in zstd_compress_stream_to_records() Arnaldo Carvalho de Melo
2026-05-21 1:49 ` sashiko-bot
2026-05-21 1:09 ` [PATCH 04/27] perf zstd: Fix multi-iteration decompression and error handling Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 05/27] perf session: Fix PERF_RECORD_READ swap and dump for variable-length events Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 06/27] perf session: Fix swap_sample_id_all() crash on crafted events Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 07/27] perf session: Add validated swap infrastructure with null-termination checks Arnaldo Carvalho de Melo
2026-05-21 1:52 ` sashiko-bot
2026-05-21 1:09 ` [PATCH 08/27] perf session: Use bounded copy for PERF_RECORD_TIME_CONV Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 09/27] perf session: Validate HEADER_ATTR attr.size before swapping Arnaldo Carvalho de Melo
2026-05-21 2:04 ` sashiko-bot
2026-05-21 1:09 ` [PATCH 10/27] perf session: Validate nr fields against event size on both swap and common paths Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 11/27] perf header: Byte-swap build ID event pid and bounds check section entries Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 12/27] perf cpumap: Reject RANGE_CPUS with start_cpu > end_cpu Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 13/27] perf auxtrace: Harden auxtrace_error event handling Arnaldo Carvalho de Melo
2026-05-21 1:09 ` [PATCH 14/27] perf session: Add byte-swap and bounds check for PERF_RECORD_BPF_METADATA events Arnaldo Carvalho de Melo
2026-05-21 2:23 ` sashiko-bot
2026-05-21 1:10 ` [PATCH 15/27] perf header: Validate null-termination in PERF_RECORD_EVENT_UPDATE string fields Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 16/27] perf tools: Bounds check perf_event_attr fields against attr.size before printing Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 17/27] perf header: Propagate feature section processing errors Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 18/27] perf header: Validate f_attr.ids section before use in perf_session__read_header() Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 19/27] perf header: Validate feature section size and add read path bounds checking Arnaldo Carvalho de Melo
2026-05-21 2:34 ` sashiko-bot
2026-05-21 1:10 ` [PATCH 20/27] perf header: Sanity check HEADER_EVENT_DESC attr.size before swap Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 21/27] perf header: Validate bitmap size before allocating in do_read_bitmap() Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 22/27] perf session: Add byte-swap for PERF_RECORD_COMPRESSED2 events Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 23/27] perf tools: Harden compressed event processing Arnaldo Carvalho de Melo
2026-05-21 1:10 ` Arnaldo Carvalho de Melo [this message]
2026-05-21 1:10 ` [PATCH 25/27] perf session: Bound nr_cpus_avail and validate sample CPU Arnaldo Carvalho de Melo
2026-05-21 2:43 ` sashiko-bot
2026-05-21 1:10 ` [PATCH 26/27] perf kwork: Bounds check work->cpu before indexing cpus_runtime[] Arnaldo Carvalho de Melo
2026-05-21 1:10 ` [PATCH 27/27] perf test: Add truncated perf.data robustness test Arnaldo Carvalho de Melo
2026-05-21 2:07 ` sashiko-bot
2026-05-21 12:57 ` Arnaldo Carvalho de Melo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260521011027.622268-25-acme@kernel.org \
--to=acme@kernel.org \
--cc=acme@redhat.com \
--cc=adrian.hunter@intel.com \
--cc=irogers@google.com \
--cc=james.clark@linaro.org \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=noreply@anthropic.com \
--cc=sashiko-bot@kernel.org \
--cc=tglx@linutronix.de \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox