[PATCH 08/13] perf header: Sanity check HEADER_GROUP_DESC

Next message: Arnaldo Carvalho de Melo: "[PATCH 09/13] perf header: Sanity check HEADER_CACHE"
Previous message: Arnaldo Carvalho de Melo: "[PATCH 06/13] perf header: Sanity check HEADER_MEM_TOPOLOGY"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 06/13] perf header: Sanity check HEADER_MEM_TOPOLOGY"
Next in thread: Arnaldo Carvalho de Melo: "[PATCH 09/13] perf header: Sanity check HEADER_CACHE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Thu Apr 09 2026 - 20:42:56 EST

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

Add upper bound check on nr_groups in process_group_desc() to harden
against malformed perf.data files (max 32768), and move the env
assignment after validation.

Cc: Namhyung Kim <namhyung@xxxxxxxxxx>
Cc: Ian Rogers <irogers@xxxxxxxxxx>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/header.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 1d7ca467acf32bd4..8e3f4655fbacc6dd 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -3130,12 +3130,26 @@ static int process_group_desc(struct feat_fd *ff, void *data __maybe_unused)
if (do_read_u32(ff, &nr_groups))
return -1;

- env->nr_groups = nr_groups;
if (!nr_groups) {
pr_debug("group desc not available\n");
return 0;
}

+#define MAX_GROUP_DESC 32768
+ if (nr_groups > MAX_GROUP_DESC) {
+ pr_err("Invalid HEADER_GROUP_DESC: nr_groups (%u) > %u\n",
+ nr_groups, MAX_GROUP_DESC);
+ return -1;
+ }
+
+ if (ff->size < sizeof(u32) + nr_groups * 3 * sizeof(u32)) {
+ pr_err("Invalid HEADER_GROUP_DESC: section too small (%zu) for %u groups\n",
+ ff->size, nr_groups);
+ return -1;
+ }
+
+ env->nr_groups = nr_groups;
+
desc = calloc(nr_groups, sizeof(*desc));
if (!desc)
return -1;
--
2.53.0