Re: [PATCH 04/13] perf dso: Fix heap overflow in dso__get_filename() on decompressed path
From: Ian Rogers
Date: Mon Jun 15 2026 - 13:10:09 EST
On Fri, Jun 12, 2026 at 3:24 PM Arnaldo Carvalho de Melo
<acme@xxxxxxxxxx> wrote:
>
> From: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
>
> dso__get_filename() allocates name with malloc(PATH_MAX), but the
> dso__filename_with_chroot() path replaces name with an asprintf'd
> exact-size string (e.g. 8 bytes for "/a/b.ko"). When the DSO needs
> decompression, dso__decompress_kmodule_path() writes the temp path
> ("/tmp/perf-kmod-XXXXXX", 22 bytes) into newpath, and strcpy(name,
> newpath) overflows the smaller allocation.
>
> Replace the strcpy with strdup(newpath) + free(name) so the buffer
> is always correctly sized for its content.
>
> Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
> Fixes: 1d6b3c9ba756a513 ("perf tools: Decompress kernel module when reading DSO data")
> Cc: Namhyung Kim <namhyung@xxxxxxxxxx>
> Assisted-by: Claude Opus 4.6 <noreply@xxxxxxxxxxxxx>
> Signed-off-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>
Reviewed-by: Ian Rogers <irogers@xxxxxxxxxx>
Thanks,
Ian
> ---
> tools/perf/util/dso.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
> index 5d017975873817ec..511921bd901d8145 100644
> --- a/tools/perf/util/dso.c
> +++ b/tools/perf/util/dso.c
> @@ -603,8 +603,15 @@ static char *dso__get_filename(struct dso *dso, const char *root_dir,
>
> /* empty pathname means file wasn't actually compressed */
> if (newpath[0] != '\0') {
> + char *tmp = strdup(newpath);
> +
> + if (!tmp) {
> + unlink(newpath);
> + goto out;
> + }
> + free(name);
> + name = tmp;
> *decomp = true;
> - strcpy(name, newpath);
> }
> }
> return name;
> --
> 2.54.0
>