[PATCH 01/23] perf pmu: Fix pmu_id() heap underwrite on empty identifier file

Next message: Arnaldo Carvalho de Melo: "[PATCH 11/23] perf hwmon: Fix parse_hwmon_filename() strlcpy buffer overflow"
Previous message: JP Kobryn: "[PATCH v3] mm/lruvec: trace LRU add drains and drain-all requests"
In reply to: Arnaldo Carvalho de Melo: "[PATCH 18/23] tools lib api: Fix mount_overload() snprintf truncation and toupper range"
Next in thread: Arnaldo Carvalho de Melo: "[PATCH 11/23] perf hwmon: Fix parse_hwmon_filename() strlcpy buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arnaldo Carvalho de Melo

Date: Wed Jun 10 2026 - 15:54:50 EST

From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

pmu_id() calls filename__read_str() then strips the trailing newline
via str[len - 1] = 0. If the PMU identifier file is empty,
filename__read_str() succeeds with len = 0. len - 1 underflows
size_t to SIZE_MAX, writing a null byte before the heap allocation.

Add a len == 0 check before the newline stripping.

Fixes: 51d548471510843e ("perf pmu: Add pmu_id()")
Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
Cc: John Garry <john.g.garry@xxxxxxxxxx>
Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/pmu.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
index 9994709ef12be9ee..50f54674430e6206 100644
--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -865,6 +865,12 @@ static char *pmu_id(const char *name)
if (filename__read_str(path, &str, &len) < 0)
return NULL;

+ /* empty identifier file — nothing useful */
+ if (len == 0) {
+ free(str);
+ return NULL;
+ }
+
str[len - 1] = 0; /* remove line feed */

return str;
--
2.54.0