[PATCH 1/1] perf util: fix perf_exe() buffer write past end

Next message: Rafael J. Wysocki: "Re: [PATCH] power: snapshot: fix missing kernel-doc parameter descriptions"
Previous message: Miguel Mart&#xED;n Gil: "[PATCH 0/1] perf util: fix out-of-bounds write in perf_exe()"
In reply to: Miguel Mart&#xED;n Gil: "[PATCH 0/1] perf util: fix out-of-bounds write in perf_exe()"
Next in thread: Ian Rogers: "Re: [PATCH 1/1] perf util: fix perf_exe() buffer write past end"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miguel Martín Gil

Date: Tue May 26 2026 - 07:10:18 EST

perf_exe() passes len to readlink() and then unconditionally writes a trailing NUL at buf[n]. If readlink() returns len, the write lands one byte past the buffer.

Read at most len - 1 bytes and keep the existing NUL termination. Also guard the fallback path for tiny buffers so copying "perf" cannot overflow.

Signed-off-by: Miguel Martín Gil <miguel.martin.gil.uni@xxxxxxxxx>
---
tools/perf/util/util.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
index 25849434f0a4..2c2a5c449ffd 100644
--- a/tools/perf/util/util.c
+++ b/tools/perf/util/util.c
@@ -419,11 +419,21 @@ int perf_tip(char **strp, const char *dirpath)

char *perf_exe(char *buf, int len)
{
- int n = readlink("/proc/self/exe", buf, len);
+ int n;
+
+ if (len <= 0)
+ return buf;
+
+ n = readlink("/proc/self/exe", buf, len - 1);
if (n > 0) {
buf[n] = 0;
return buf;
}
+ if (len < (int)sizeof("perf")) {
+ buf[0] = '\0';
+ return buf;
+ }
+
return strcpy(buf, "perf");
}

--
2.43.0