[PATCH 2/4] perf header: Validate string length before allocating in do_read_string()

Next message: Arnaldo Carvalho de Melo: "[PATCH 3/4] perf header: Sanity check HEADER_EVENT_DESC"
Previous message: Arnaldo Carvalho de Melo: "[PATCH 1/4] perf header: Add section bounds checking to the fd read path"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 1/4] perf header: Add section bounds checking to the fd read path"
Next in thread: Arnaldo Carvalho de Melo: "[PATCH 3/4] perf header: Sanity check HEADER_EVENT_DESC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Tue Apr 14 2026 - 16:51:52 EST

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

do_read_string() reads a u32 length from the file and immediately
allocates that many bytes. A crafted perf.data could claim a huge
string length, triggering a large allocation that would only be freed
moments later when __do_read() rejects the read against the section
bounds.

Check len against the remaining section size before the malloc().

Cc: Ian Rogers <irogers@xxxxxxxxxx>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/header.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 13bbf8df15f66cab..c27ed90727ea6629 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -269,6 +269,9 @@ static char *do_read_string(struct feat_fd *ff)
if (do_read_u32(ff, &len))
return NULL;

+ if (len > ff->size - ff->offset)
+ return NULL;
+
buf = malloc(len);
if (!buf)
return NULL;
--
2.53.0