[PATCH 09/13] perf header: Sanity check HEADER_CACHE

Next message: Arnaldo Carvalho de Melo: "[PATCH 10/13] perf header: Sanity check HEADER_HYBRID_TOPOLOGY"
Previous message: Samiullah Khawaja: "Re: [PATCH 04/14] iommu/pages: Add APIs to preserve/unpreserve/restore iommu pages"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 08/13] perf header: Sanity check HEADER_GROUP_DESC"
Next in thread: Arnaldo Carvalho de Melo: "[PATCH 10/13] perf header: Sanity check HEADER_HYBRID_TOPOLOGY"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Fri Apr 10 2026 - 18:15:48 EST

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

Add upper bound check on cache entry count in process_cache() to harden
against malformed perf.data files (max 32768).

Cc: Jiri Olsa <jolsa@xxxxxxxxxx>
Cc: Ian Rogers <irogers@xxxxxxxxxx>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/header.c | 13 +++++++++++++
1 file changed, 13 insertions(+)

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 993e20debd5ca315..749a522fe057e739 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -63,6 +63,7 @@
#include <event-parse.h>
#endif

+#define MAX_CACHE_ENTRIES 32768
#define MAX_GROUP_DESC 32768
#define MAX_NUMA_NODES 4096
#define MAX_PMU_MAPPINGS 4096
@@ -3243,6 +3244,18 @@ static int process_cache(struct feat_fd *ff, void *data __maybe_unused)
if (do_read_u32(ff, &cnt))
return -1;

+ if (cnt > MAX_CACHE_ENTRIES) {
+ pr_err("Invalid HEADER_CACHE: cnt (%u) > %u\n",
+ cnt, MAX_CACHE_ENTRIES);
+ return -1;
+ }
+
+ if (ff->size < 2 * sizeof(u32) + cnt * 7 * sizeof(u32)) {
+ pr_err("Invalid HEADER_CACHE: section too small (%zu) for %u entries\n",
+ ff->size, cnt);
+ return -1;
+ }
+
caches = calloc(cnt, sizeof(*caches));
if (!caches)
return -1;
--
2.53.0