From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Ian Rogers <irogers@google.com>,
Namhyung Kim <namhyung@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 10/95] perf symbol-minimal: Fix ehdr reading in filename__read_build_id
Date: Tue, 2 Sep 2025 15:19:46 +0200 [thread overview]
Message-ID: <20250902131940.010821977@linuxfoundation.org> (raw)
In-Reply-To: <20250902131939.601201881@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit ba0b7081f7a521d7c28b527a4f18666a148471e7 ]
The e_ident is part of the ehdr and so reading it a second time would
mean the read ehdr was displaced by 16-bytes. Switch from stdio to
open/read/lseek syscalls for similarity with the symbol-elf version of
the function and so that later changes can alter then open flags.
Fixes: fef8f648bb47 ("perf symbol: Fix use-after-free in filename__read_build_id")
Signed-off-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250823000024.724394-2-irogers@google.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol-minimal.c | 55 ++++++++++++++++----------------
1 file changed, 27 insertions(+), 28 deletions(-)
diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c
index 36c1d3090689f..f114f75ebeb98 100644
--- a/tools/perf/util/symbol-minimal.c
+++ b/tools/perf/util/symbol-minimal.c
@@ -4,7 +4,6 @@
#include <errno.h>
#include <unistd.h>
-#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
@@ -88,11 +87,8 @@ int filename__read_debuglink(const char *filename __maybe_unused,
*/
int filename__read_build_id(const char *filename, struct build_id *bid)
{
- FILE *fp;
- int ret = -1;
+ int fd, ret = -1;
bool need_swap = false, elf32;
- u8 e_ident[EI_NIDENT];
- int i;
union {
struct {
Elf32_Ehdr ehdr32;
@@ -103,28 +99,27 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
Elf64_Phdr *phdr64;
};
} hdrs;
- void *phdr;
- size_t phdr_size;
- void *buf = NULL;
- size_t buf_size = 0;
+ void *phdr, *buf = NULL;
+ ssize_t phdr_size, ehdr_size, buf_size = 0;
- fp = fopen(filename, "r");
- if (fp == NULL)
+ fd = open(filename, O_RDONLY);
+ if (fd < 0)
return -1;
- if (fread(e_ident, sizeof(e_ident), 1, fp) != 1)
+ if (read(fd, hdrs.ehdr32.e_ident, EI_NIDENT) != EI_NIDENT)
goto out;
- if (memcmp(e_ident, ELFMAG, SELFMAG) ||
- e_ident[EI_VERSION] != EV_CURRENT)
+ if (memcmp(hdrs.ehdr32.e_ident, ELFMAG, SELFMAG) ||
+ hdrs.ehdr32.e_ident[EI_VERSION] != EV_CURRENT)
goto out;
- need_swap = check_need_swap(e_ident[EI_DATA]);
- elf32 = e_ident[EI_CLASS] == ELFCLASS32;
+ need_swap = check_need_swap(hdrs.ehdr32.e_ident[EI_DATA]);
+ elf32 = hdrs.ehdr32.e_ident[EI_CLASS] == ELFCLASS32;
+ ehdr_size = (elf32 ? sizeof(hdrs.ehdr32) : sizeof(hdrs.ehdr64)) - EI_NIDENT;
- if (fread(elf32 ? (void *)&hdrs.ehdr32 : (void *)&hdrs.ehdr64,
- elf32 ? sizeof(hdrs.ehdr32) : sizeof(hdrs.ehdr64),
- 1, fp) != 1)
+ if (read(fd,
+ (elf32 ? (void *)&hdrs.ehdr32 : (void *)&hdrs.ehdr64) + EI_NIDENT,
+ ehdr_size) != ehdr_size)
goto out;
if (need_swap) {
@@ -138,14 +133,18 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
hdrs.ehdr64.e_phnum = bswap_16(hdrs.ehdr64.e_phnum);
}
}
- phdr_size = elf32 ? hdrs.ehdr32.e_phentsize * hdrs.ehdr32.e_phnum
- : hdrs.ehdr64.e_phentsize * hdrs.ehdr64.e_phnum;
+ if ((elf32 && hdrs.ehdr32.e_phentsize != sizeof(Elf32_Phdr)) ||
+ (!elf32 && hdrs.ehdr64.e_phentsize != sizeof(Elf64_Phdr)))
+ goto out;
+
+ phdr_size = elf32 ? sizeof(Elf32_Phdr) * hdrs.ehdr32.e_phnum
+ : sizeof(Elf64_Phdr) * hdrs.ehdr64.e_phnum;
phdr = malloc(phdr_size);
if (phdr == NULL)
goto out;
- fseek(fp, elf32 ? hdrs.ehdr32.e_phoff : hdrs.ehdr64.e_phoff, SEEK_SET);
- if (fread(phdr, phdr_size, 1, fp) != 1)
+ lseek(fd, elf32 ? hdrs.ehdr32.e_phoff : hdrs.ehdr64.e_phoff, SEEK_SET);
+ if (read(fd, phdr, phdr_size) != phdr_size)
goto out_free;
if (elf32)
@@ -153,8 +152,8 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
else
hdrs.phdr64 = phdr;
- for (i = 0; i < elf32 ? hdrs.ehdr32.e_phnum : hdrs.ehdr64.e_phnum; i++) {
- size_t p_filesz;
+ for (int i = 0; i < (elf32 ? hdrs.ehdr32.e_phnum : hdrs.ehdr64.e_phnum); i++) {
+ ssize_t p_filesz;
if (need_swap) {
if (elf32) {
@@ -180,8 +179,8 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
goto out_free;
buf = tmp;
}
- fseek(fp, elf32 ? hdrs.phdr32[i].p_offset : hdrs.phdr64[i].p_offset, SEEK_SET);
- if (fread(buf, p_filesz, 1, fp) != 1)
+ lseek(fd, elf32 ? hdrs.phdr32[i].p_offset : hdrs.phdr64[i].p_offset, SEEK_SET);
+ if (read(fd, buf, p_filesz) != p_filesz)
goto out_free;
ret = read_build_id(buf, p_filesz, bid, need_swap);
@@ -194,7 +193,7 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
free(buf);
free(phdr);
out:
- fclose(fp);
+ close(fd);
return ret;
}
--
2.50.1
next prev parent reply other threads:[~2025-09-02 13:30 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 13:19 [PATCH 6.12 00/95] 6.12.45-rc1 review Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 01/95] tools/latency-collector: Check pkg-config install Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 02/95] rtla: " Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 03/95] trace/fgraph: Fix the warning caused by missing unregister notifier Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 04/95] of: dynamic: Fix memleak when of_pci_add_properties() failed Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 05/95] pinctrl: STMFX: add missing HAS_IOMEM dependency Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 06/95] mips: dts: lantiq: danube: add missing burst length property Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 07/95] mips: lantiq: xway: sysctrl: rename the etop node Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 08/95] of: dynamic: Fix use after free in of_changeset_add_prop_helper() Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 09/95] ftrace: Fix potential warning in trace_printk_seq during ftrace_dump Greg Kroah-Hartman
2025-09-02 13:19 ` Greg Kroah-Hartman [this message]
2025-09-02 13:19 ` [PATCH 6.12 11/95] vhost: Fix ioctl # for VHOST_[GS]ET_FORK_FROM_OWNER Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 12/95] scsi: core: sysfs: Correct sysfs attributes access rights Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 13/95] smb: client: fix race with concurrent opens in unlink(2) Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 14/95] smb: client: fix race with concurrent opens in rename(2) Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 15/95] ASoC: codecs: tx-macro: correct tx_macro_component_drv name Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 16/95] erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 17/95] ACPI: EC: Add device to acpi_ec_no_wakeup[] qurik list Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 18/95] vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 19/95] net: ipv4: fix regression in local-broadcast routes Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 20/95] drm/msm: Defer fd_install in SUBMIT ioctl Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 21/95] of: reserved_mem: Restructure call site for dma_contiguous_early_fixup() Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 22/95] drm/msm/kms: move snapshot init earlier in KMS init Greg Kroah-Hartman
2025-09-02 13:19 ` [PATCH 6.12 23/95] drm/msm: update the high bitfield of certain DSI registers Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 24/95] drm/mediatek: Add error handling for old state CRTC in atomic_disable Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 25/95] powerpc/kvm: Fix ifdef to remove build warning Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 26/95] HID: input: rename hidinput_set_battery_charge_status() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 27/95] HID: input: report battery status changes immediately Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 28/95] net: macb: fix unregister_netdev call order in macb_remove() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 29/95] Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 30/95] Bluetooth: hci_event: Mark connection as closed during suspend disconnect Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 31/95] Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 32/95] Bluetooth: hci_sync: fix set_local_name race condition Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 33/95] atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 34/95] drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 35/95] drm/nouveau: remove unused memory target test Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 36/95] ice: dont leave device non-functional if Tx scheduler config fails Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 37/95] ice: use fixed adapter index for E825C embedded devices Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 38/95] ice: fix incorrect counter for buffer allocation failures Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 39/95] dt-bindings: display/msm: qcom,mdp5: drop lut clock Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 40/95] net: dlink: fix multicast stats being counted incorrectly Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 41/95] efi: stmm: Fix incorrect buffer allocation method Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 42/95] drm/xe/xe_sync: avoid race during ufence signaling Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 43/95] drm/xe: Dont trigger rebind on initial dma-buf validation Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 44/95] phy: mscc: Fix when PTP clock is register and unregister Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 45/95] bnxt_en: Fix memory corruption when FW resources change during ifdown Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 46/95] bnxt_en: Adjust TX rings if reservation is less than requested Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 47/95] bnxt_en: Fix stats context reservation logic Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 48/95] net/mlx5: Reload auxiliary drivers on fw_activate Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 49/95] net/mlx5: Fix lockdep assertion on sync reset unload event Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 50/95] net/mlx5: Nack sync reset when SFs are present Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 51/95] net/mlx5e: Update and set Xon/Xoff upon MTU set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 52/95] net/mlx5e: Update and set Xon/Xoff upon port speed set Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 53/95] net/mlx5e: Set local Xoff after FW update Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 54/95] net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 55/95] net: stmmac: xgmac: Correct supported speed modes Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 56/95] net: stmmac: Set CIC bit only for TX queues with COE Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 57/95] hv_netvsc: Link queues to NAPIs Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 58/95] net: hv_netvsc: fix loss of early receive events from host during channel open Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 59/95] net: rose: split remove and free operations in rose_remove_neigh() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 60/95] net: rose: convert use field to refcount_t Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 61/95] net: rose: include node references in rose_neigh refcount Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 62/95] sctp: initialize more fields in sctp_v6_from_sk() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 63/95] l2tp: do not use sock_hold() in pppol2tp_session_get_sock() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 64/95] fbnic: Move phylink resume out of service_task and into open/close Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 65/95] efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 66/95] net: macb: Disable clocks once Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 67/95] KVM: x86: use array_index_nospec with indices that come from guest Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 68/95] RISC-V: KVM: fix stack overrun when loading vlenb Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 69/95] x86/microcode/AMD: Handle the case of no BIOS microcode Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 70/95] x86/cpu/topology: Use initial APIC ID from XTOPOLOGY leaf on AMD/HYGON Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 71/95] HID: asus: fix UAF via HID_CLAIMED_INPUT validation Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 72/95] HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 73/95] HID: quirks: add support for Legion Go dual dinput modes Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 74/95] HID: logitech: Add ids for G PRO 2 LIGHTSPEED Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 75/95] HID: wacom: Add a new Art Pen 2 Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 76/95] HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 77/95] Revert "drm/amdgpu: fix incorrect vm flags to map bo" Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 78/95] blk-zoned: Fix a lockdep complaint about recursive locking Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 79/95] dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 80/95] fs/smb: Fix inconsistent refcnt update Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 81/95] net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 82/95] smb3 client: fix return code mapping of remap_file_range Greg Kroah-Hartman
2025-09-02 13:20 ` [PATCH 6.12 83/95] xfs: do not propagate ENODATA disk errors into xattr code Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 84/95] drm/xe/vm: Clear the scratch_pt pointer on error Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 85/95] drm/nouveau/disp: Always accept linear modifier Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 86/95] drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 87/95] drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 88/95] drm/amd/amdgpu: disable hwmon power1_cap* for gfx 11.0.3 on vf mode Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 89/95] net: rose: fix a typo in rose_clear_routes() Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 90/95] PCI: Rename PCIE_RESET_CONFIG_DEVICE_WAIT_MS to PCIE_RESET_CONFIG_WAIT_MS Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 91/95] PCI: dwc: Ensure that dw_pcie_wait_for_link() waits 100 ms after link up Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 92/95] Revert "drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 93/95] thermal/drivers/mediatek/lvts_thermal: Change lvts commands array to static const Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 94/95] thermal/drivers/mediatek/lvts_thermal: Add lvts commands and their sizes to driver data Greg Kroah-Hartman
2025-09-02 13:21 ` [PATCH 6.12 95/95] thermal/drivers/mediatek/lvts_thermal: Add mt7988 lvts commands Greg Kroah-Hartman
2025-09-02 16:29 ` 6.12.45-rc1 review Brett A C Sheffield
2025-09-02 18:03 ` [PATCH 6.12 00/95] " Jon Hunter
2025-09-02 19:30 ` Florian Fainelli
2025-09-03 7:43 ` Pavel Machek
2025-09-03 8:16 ` Naresh Kamboju
2025-09-03 8:56 ` Ron Economos
2025-09-03 10:47 ` Mark Brown
2025-09-03 13:12 ` Jules Maselbas
2025-09-03 13:28 ` Brett Mastbergen
2025-09-03 13:34 ` Jules Maselbas
2025-09-04 16:07 ` Greg Kroah-Hartman
2025-09-04 16:23 ` Greg Kroah-Hartman
2025-09-03 13:58 ` Peter Schneider
2025-09-03 14:17 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250902131940.010821977@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=irogers@google.com \
--cc=namhyung@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).