Re: [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow

public inbox for linux-perf-users@vger.kernel.org
 help / color / mirror / Atom feed

From: Namhyung Kim <namhyung@kernel.org>
To: SeungJu Cheon <suunj1331@gmail.com>
Cc: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
	mark.rutland@arm.com, alexander.shishkin@linux.intel.com,
	jolsa@kernel.org, irogers@google.com, adrian.hunter@intel.com,
	brcampbell@google.com, shuah@kernel.org,
	linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow
Date: Thu, 2 Apr 2026 10:59:24 -0700	[thread overview]
Message-ID: <ac6ufPHfHR_L0ze-@google.com> (raw)
In-Reply-To: <20260401215310.348463-1-suunj1331@gmail.com>

Hello,

On Thu, Apr 02, 2026 at 06:53:10AM +0900, SeungJu Cheon wrote:
> The build_id parsing functions calculate a filename length from the
> event header size and read directly into a stack buffer of PATH_MAX
> bytes without bounds checking. A malformed perf.data file with a
> crafted header.size can cause the length to be negative or exceed
> PATH_MAX, resulting in a stack buffer overflow.
> 
> Add bounds checking for the filename length in both
> perf_header__read_build_ids() and the ABI quirk variant. Print a
> warning message when invalid length is detected.
> 
> Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
> ---
> v2:
>  - Add warning message when invalid filename length detected
> ---
>  tools/perf/util/header.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
> index 9142a8ba4019..132d360d716a 100644
> --- a/tools/perf/util/header.c
> +++ b/tools/perf/util/header.c
> @@ -2545,6 +2545,11 @@ static int perf_header__read_build_ids_abi_quirk(struct perf_header *header,
>  			perf_event_header__bswap(&old_bev.header);
>  
>  		len = old_bev.header.size - sizeof(old_bev);
> +		if (len < 0 || len >= PATH_MAX) {
> +			pr_warning("invalid build_id filename length %d\n", len);
> +			return -1;

I got this errors:

  In file included from util/header.c:38:                                         
  util/header.c: In function 'perf_header__read_build_ids_abi_quirk':             
  util/header.c:2549:36: error: format '%d' expects argument of type 'int', but argument 4 has type 'ssize_t' {aka 'long int'} [-Werror=format
  =]
   2549 |                         pr_warning("invalid build_id filename length %d\n", len);
        |                                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  util/debug.h:20:21: note: in definition of macro 'pr_fmt'                       
     20 | #define pr_fmt(fmt) fmt                                                 
        |                     ^~~                                                 
  util/header.c:2549:25: note: in expansion of macro 'pr_warning'                 
   2549 |                         pr_warning("invalid build_id filename length %d\n", len);
        |                         ^~~~~~~~~~                                      
  util/header.c:2549:71: note: format string is defined here                      
   2549 |                         pr_warning("invalid build_id filename length %d\n", len);
        |                                                                      ~^ 
        |                                                                       | 
        |                                                                       int
        |                                                                      %ld

Please make sure it builds before sending patches.  Hopefully we can run
perf test before and after your changes to see if there's anything
broken.

I'll fix it up this time.

Thanks,
Namhyung

> +		}
> +
>  		if (readn(input, filename, len) != len)
>  			return -1;
>  
> @@ -2587,6 +2592,11 @@ static int perf_header__read_build_ids(struct perf_header *header,
>  			perf_event_header__bswap(&bev.header);
>  
>  		len = bev.header.size - sizeof(bev);
> +		if (len < 0 || len >= PATH_MAX) {
> +			pr_warning("invalid build_id filename length %d\n", len);
> +			goto out;
> +		}
> +
>  		if (readn(input, filename, len) != len)
>  			goto out;
>  		/*
> -- 
> 2.52.0
>

     prev parent reply	other threads:[~2026-04-02 17:59 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-01 21:53 [PATCH v2] perf header: Validate build_id filename length to prevent buffer overflow SeungJu Cheon
2026-04-01 22:12 ` Ian Rogers
2026-04-02 15:33   ` Ian Rogers
2026-04-02 17:59 ` Namhyung Kim [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ac6ufPHfHR_L0ze-@google.com \
    --to=namhyung@kernel.org \
    --cc=acme@kernel.org \
    --cc=adrian.hunter@intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=brcampbell@google.com \
    --cc=irogers@google.com \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=shuah@kernel.org \
    --cc=suunj1331@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox