Re: [PATCH 02/13] perf symbols: Validate p_filesz before use in filename__read_build_id()
From: Ian Rogers
Date: Mon Jun 15 2026 - 13:07:58 EST
On Fri, Jun 12, 2026 at 3:24 PM Arnaldo Carvalho de Melo
<acme@xxxxxxxxxx> wrote:
>
> From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
>
> filename__read_build_id() stores ELF p_filesz in a ssize_t variable.
> A crafted 32-bit ELF with p_filesz = 0xFFFFFFFF produces ssize_t value
> -1. The comparison `p_filesz > buf_size` evaluates false because signed
> -1 is less than any non-negative buf_size, so the realloc is skipped and
> buf remains NULL.
>
> The subsequent read(fd, NULL, -1) returns -1, which equals p_filesz,
> passing the error check. read_build_id() then dereferences the NULL
> buffer.
>
> Add an explicit check for p_filesz <= 0 before using the value,
> catching both zero-length and sign-wrapped negative sizes from crafted
> ELF files.
>
> Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
> Fixes: ba0b7081f7a521d7 ("perf symbol-minimal: Fix ehdr reading in filename__read_build_id")
> Cc: Ian Rogers <irogers@xxxxxxxxxx>
> Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
> Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
Reviewed-by: Ian Rogers <irogers@xxxxxxxxxx>
Thanks,
Ian
> ---
> tools/perf/util/symbol-minimal.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c
> index f4b0a711a62cf3de..0a71d146395271a6 100644
> --- a/tools/perf/util/symbol-minimal.c
> +++ b/tools/perf/util/symbol-minimal.c
> @@ -186,6 +186,9 @@ int filename__read_build_id(const char *filename, struct build_id *bid)
> continue;
>
> p_filesz = elf32 ? hdrs.phdr32[i].p_filesz : hdrs.phdr64[i].p_filesz;
> + /* ssize_t can go negative with crafted ELF p_filesz values */
> + if (p_filesz <= 0)
> + continue;
> if (p_filesz > buf_size) {
> void *tmp;
>
> --
> 2.54.0
>