Re: [PATCH 1/1] perf util: fix perf_exe() buffer write past end

Next message: Alexander Gordeev: "Re: [PATCH] s390: Implement _THIS_IP_ using inline asm"
Previous message: Steven Rostedt: "Re: [PATCH v6] tracing/eprobes: Allow use of BTF names to dereference pointers"
In reply to: Miguel Mart&#xED;n Gil: "[PATCH 1/1] perf util: fix perf_exe() buffer write past end"
Next in thread: Arnaldo Carvalho de Melo: "Re: [PATCH 1/1] perf util: fix perf_exe() buffer write past end"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ian Rogers

Date: Tue May 26 2026 - 11:46:20 EST

On Tue, May 26, 2026 at 4:10 AM Miguel Martín Gil
<miguel.martin.gil.uni@xxxxxxxxx> wrote:
>
> perf_exe() passes len to readlink() and then unconditionally writes a trailing NUL at buf[n]. If readlink() returns len, the write lands one byte past the buffer.
>
> Read at most len - 1 bytes and keep the existing NUL termination. Also guard the fallback path for tiny buffers so copying "perf" cannot overflow.
>
> Signed-off-by: Miguel Martín Gil <miguel.martin.gil.uni@xxxxxxxxx>

Reviewed-by: Ian Rogers <irogers@xxxxxxxxxx>

and Sashiko is green:
https://sashiko.dev/#/patchset/20260526110852.7259-2-miguel.martin.gil.uni%40gmail.com

Thanks,
Ian

> ---
> tools/perf/util/util.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
> index 25849434f0a4..2c2a5c449ffd 100644
> --- a/tools/perf/util/util.c
> +++ b/tools/perf/util/util.c
> @@ -419,11 +419,21 @@ int perf_tip(char **strp, const char *dirpath)
>
> char *perf_exe(char *buf, int len)
> {
> - int n = readlink("/proc/self/exe", buf, len);
> + int n;
> +
> + if (len <= 0)
> + return buf;
> +
> + n = readlink("/proc/self/exe", buf, len - 1);
> if (n > 0) {
> buf[n] = 0;
> return buf;
> }
> + if (len < (int)sizeof("perf")) {
> + buf[0] = '\0';
> + return buf;
> + }
> +
> return strcpy(buf, "perf");
> }
>
> --
> 2.43.0
>
>