[PATCH 4/4] perf header: Validate bitmap size before allocating in do_read_bitmap()

Next message: Thomas Gleixner: "Re: The &quot;clockevents: Prevent timer interrupt starvation&quot; patch causes lockups"
Previous message: Arnaldo Carvalho de Melo: "[PATCH 3/4] perf header: Sanity check HEADER_EVENT_DESC"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 3/4] perf header: Sanity check HEADER_EVENT_DESC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Tue Apr 14 2026 - 16:52:55 EST

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

do_read_bitmap() reads a u64 bit count from the file and passes it
to bitmap_zalloc() without checking it against the remaining section
size. A crafted perf.data could trigger a large allocation that would
only fail later when the per-element reads exceed section bounds.

Check that the data needed (BITS_TO_U64(size) u64 values) fits in
the remaining section before allocating.

Currently used by process_mem_topology() for HEADER_MEM_TOPOLOGY.

Cc: Jiri Olsa <jolsa@xxxxxxxxxx>
Cc: Ian Rogers <irogers@xxxxxxxxxx>
Assisted-by: Claude Code:claude-opus-4-6
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/header.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index 3302748bac786fdf..f2d0b8408cc29744 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -300,6 +300,9 @@ static int do_read_bitmap(struct feat_fd *ff, unsigned long **pset, u64 *psize)
if (ret)
return ret;

+ if (BITS_TO_U64(size) > (ff->size - ff->offset) / sizeof(u64))
+ return -1;
+
set = bitmap_zalloc(size);
if (!set)
return -ENOMEM;
--
2.53.0