summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo <acme@redhat.com>2026-06-07 21:04:50 -0300
committerArnaldo Carvalho de Melo <acme@redhat.com>2026-06-10 18:56:01 -0300
commit6eaa8ee3e2abe5112e80e94c27196bb175689469 (patch)
tree3b6634f6af277fdaac2e5042da9a71ff5bef25da
parent52b1f9678499b13b7aeb0186d9c6f486c043283f (diff)
perf symbols: Fix signed overflow in sysfs__read_build_id() size check
sysfs__read_build_id() reads ELF note headers from sysfs files. The note's namesz and descsz fields are used to compute the skip size: int n = namesz + descsz; if (n > (int)sizeof(bf)) Both namesz and descsz are size_t from NOTE_ALIGN() of 32-bit note header fields. Their sum can exceed INT_MAX, overflowing the signed int n to a negative value. The check n > sizeof(bf) then evaluates false (negative < positive in signed comparison), and read(fd, bf, n) reinterprets the negative n as a huge size_t count — the kernel writes up to MAX_RW_COUNT bytes into the 8192-byte stack buffer. In practice the overflow is bounded by the sysfs file's actual size, so a real sysfs notes file won't trigger it organically. But crafted input (e.g. via a mounted debugfs/sysfs image) could. Fix by validating namesz and descsz individually against the buffer size before summing, and change n to size_t to avoid the signed overflow entirely. Fixes: f1617b40596cb341 ("perf symbols: Record the build_ids of kernel modules too") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-rw-r--r--tools/perf/util/symbol-elf.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index c2bdfd0003df..8fb25a5692b5 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -964,14 +964,17 @@ int sysfs__read_build_id(const char *filename, struct build_id *bid)
} else if (read(fd, bf, descsz) != (ssize_t)descsz)
break;
} else {
- int n = namesz + descsz;
+ size_t n;
- if (n > (int)sizeof(bf)) {
+ /* int sum of namesz+descsz can overflow negative, bypassing size check */
+ if (namesz > sizeof(bf) || descsz > sizeof(bf) - namesz) {
n = sizeof(bf);
pr_debug("%s: truncating reading of build id in sysfs file %s: n_namesz=%u, n_descsz=%u.\n",
__func__, filename, nhdr.n_namesz, nhdr.n_descsz);
+ } else {
+ n = namesz + descsz;
}
- if (read(fd, bf, n) != n)
+ if (read(fd, bf, n) != (ssize_t)n)
break;
}
}