perf tools: Validate perf event header size
The 'size' variable includes the header so must be at least 'sizeof(struct perf_event_header)'. Error out immediately if that is not the case. Also don't byte-swap the header until it is actually "fetched" from the mmap region. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Ingo Molnar <mingo@kernel.org> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Mike Galbraith <efault@gmx.de> Cc: Namhyung Kim <namhyung@gmail.com> Cc: Paul Mackerras <paulus@samba.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Stephane Eranian <eranian@google.com> Link: http://lkml.kernel.org/r/1372944040-32690-9-git-send-email-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
This commit is contained in:
parent
93edcbd91d
commit
27389d7823
@ -1094,8 +1094,10 @@ more:
|
||||
perf_event_header__bswap(&event->header);
|
||||
|
||||
size = event->header.size;
|
||||
if (size == 0)
|
||||
size = 8;
|
||||
if (size < sizeof(struct perf_event_header)) {
|
||||
pr_err("bad event header size\n");
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
if (size > cur_size) {
|
||||
void *new = realloc(buf, size);
|
||||
@ -1164,8 +1166,12 @@ fetch_mmaped_event(struct perf_session *session,
|
||||
if (session->header.needs_swap)
|
||||
perf_event_header__bswap(&event->header);
|
||||
|
||||
if (head + event->header.size > mmap_size)
|
||||
if (head + event->header.size > mmap_size) {
|
||||
/* We're not fetching the event so swap back again */
|
||||
if (session->header.needs_swap)
|
||||
perf_event_header__bswap(&event->header);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return event;
|
||||
}
|
||||
@ -1245,7 +1251,7 @@ more:
|
||||
|
||||
size = event->header.size;
|
||||
|
||||
if (size == 0 ||
|
||||
if (size < sizeof(struct perf_event_header) ||
|
||||
perf_session__process_event(session, event, tool, file_pos) < 0) {
|
||||
pr_err("%#" PRIx64 " [%#x]: failed to process type: %d\n",
|
||||
file_offset + head, event->header.size,
|
||||
|
Loading…
Reference in New Issue
Block a user