[PATCH 3/6] perf/header: reject data offset beyond file size

[Wang Haoran]

>From cc2ff328f62f766f74de038347d88ee2dc75f78d Mon Sep 17 00:00:00 2001
From: Wang Haoran <haoranwangsec@xxxxxxxxx>
Date: Thu, 28 May 2026 15:17:07 +0800
Subject: [PATCH 3/6] perf/header: reject data offset beyond file size

A crafted perf.data file can set data.offset to a value larger than
the actual file size.  perf then calls mmap() with that file offset,
which succeeds but maps a region entirely past the end of the file.
Any subsequent access to the mapped memory triggers SIGBUS.

Add a fstat() check in perf_file_header__read() that rejects files
whose claimed data.offset exceeds the real file size.

Fixes: <perf_file_header__read>
Signed-off-by: Wang Haoran <haoranwangsec@xxxxxxxxx>
---
 tools/perf/util/header.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
index e000eb9c1..f1a1831cf 100644
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -4335,6 +4335,15 @@ int perf_file_header__read(struct perf_file_header *header,
 		return -1;
 	}
 
+	{
+		struct stat st;
+
+		if (fstat(fd, &st) == 0 && header->data.offset > (u64)st.st_size) {
+			pr_err("Perf file header corrupt: data offset beyond file size\n");
+			return -1;
+		}
+	}
+
 	if (header->size != sizeof(*header)) {
 		/* Support the previous format */
 		if (header->size == offsetof(typeof(*header), adds_features))
-- 
2.53.0



---
ASan output on perf 7.0.6 (unpatched) with the attached PoC:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==55933==ERROR: AddressSanitizer: BUS on unknown address (pc 0x5d35069296b4 bp 0x7fffd2df9100 sp 0x7fffd2df90a0 T0)
==55933==The signal is caused by a READ memory access.
==55933==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x5d35069296b4 in reader__read_event (perf+0x65e6b4) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #1 0x5d350692a21d in perf_session__process_events (perf+0x65f21d) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #2 0x5d350660ff97 in cmd_sched (perf+0x344f97) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #3 0x5d350664e87f in handle_internal_command (perf+0x38387f) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #4 0x5d35064c1836 in main (perf+0x1f6836) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)
    #5 0x7f111f42a600 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:59
    #6 0x7f111f42a717 in __libc_start_main_impl ../csu/libc-start.c:360
    #7 0x5d35064c9754 in _start (perf+0x1fe754) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db)

==55933==Register values:
rax = 0x0000000000000007  rbx = 0x00007b111d54bd90  rcx = 0x0000000000000001  rdx = 0x0000000000000000  
rdi = 0x00007b111d54bdd8  rsi = 0x00007ce11e5e0080  rbp = 0x00007fffd2df9100  rsp = 0x00007fffd2df90a0  
 r8 = 0x0000000000000f68   r9 = 0x0000000000000000  r10 = 0x00007ce11e5e0080  r11 = 0x0000000000000246  
r12 = 0x00007f111ebb7f68  r13 = 0x00000000000103c8  r14 = 0x00007f111ebb7f6e  r15 = 0x00007ce11e5e0080  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS (perf+0x65e6b4) (BuildId: 25d667fa7a7274046cb5bcb3375c4b1074f3f6db) in reader__read_event
==55933==ABORTING

Attachment: crash_sig7_iter210.data
Description: Binary data