[PATCH 12/23] perf symbols: Bounds-check descsz in sysfs__read_build_id() GNU fallback
From: Arnaldo Carvalho de Melo
Date: Wed Jun 10 2026 - 15:55:31 EST
From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
When sysfs__read_build_id() matches NT_GNU_BUILD_ID with the right
namesz but the name content is not "GNU", it falls back to reading
descsz bytes into the stack buffer bf[BUFSIZ]:
} else if (read(fd, bf, descsz) != (ssize_t)descsz)
Unlike the else branch which validates namesz + descsz against
sizeof(bf), this path passes descsz directly to read() without any
bounds check. A crafted sysfs file with a large n_descsz overflows
the 8192-byte stack buffer.
Add a descsz > sizeof(bf) check before the read, breaking out of
the loop on oversized values.
Fixes: e5a1845fc0aeca85 ("perf symbols: Split out util/symbol-elf.c")
Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
Cc: Namhyung Kim <namhyung@xxxxxxxxxx>
Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
---
tools/perf/util/symbol-elf.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index 36a0304707e13138..06cfb84f86eb2f64 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -961,8 +961,13 @@ int sysfs__read_build_id(const char *filename, struct build_id *bid)
err = 0;
break;
}
- } else if (read(fd, bf, descsz) != (ssize_t)descsz)
- break;
+ } else {
+ /* descsz from untrusted file — clamp to buffer */
+ if (descsz > sizeof(bf))
+ break;
+ if (read(fd, bf, descsz) != (ssize_t)descsz)
+ break;
+ }
} else {
size_t n;
--
2.54.0