[PATCH 0/1] perf util: fix out-of-bounds write in perf_exe()

Next message: Miguel Mart&#xED;n Gil: "[PATCH 1/1] perf util: fix perf_exe() buffer write past end"
Previous message: Peter Zijlstra: "Re: [PATCH v2 10/10] sched/eevdf: Move to a single runqueue"
Next in thread: Miguel Mart&#xED;n Gil: "[PATCH 1/1] perf util: fix perf_exe() buffer write past end"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miguel Martín Gil

Date: Tue May 26 2026 - 07:09:50 EST

perf_exe() currently passes the full buffer length to readlink() and then
unconditionally appends a trailing NUL at buf[n].

When readlink() returns exactly len bytes, the NUL store lands one byte past
the end of the caller buffer.

This series fixes it by reading at most len - 1 bytes and keeping explicit NUL
termination only within bounds. It also hardens the fallback path for tiny
buffers so copying "perf" cannot overflow.

Miguel Martín Gil (1):
perf util: fix perf_exe() buffer write past end

tools/perf/util/util.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

--
2.43.0