On Tue, Aug 13, 2024 at 2:29 AM Andrii Nakryiko <andrii@xxxxxxxxxx> wrote: > Harden build ID parsing logic, adding explicit READ_ONCE() where it's > important to have a consistent value read and validated just once. > > Also, as pointed out by Andi Kleen, we need to make sure that entire ELF > note is within a page bounds, so move the overflow check up and add an > extra note_size boundaries validation. > > Fixes tag below points to the code that moved this code into > lib/buildid.c, and then subsequently was used in perf subsystem, making > this code exposed to perf_event_open() users in v5.12+. Sorry, I missed some things in previous review rounds: [...] > @@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned char *build_id, [...] > if (nhdr->n_type == BUILD_ID && > - nhdr->n_namesz == sizeof("GNU") && > - !strcmp((char *)(nhdr + 1), "GNU") && > - nhdr->n_descsz > 0 && > - nhdr->n_descsz <= BUILD_ID_SIZE_MAX) { > - memcpy(build_id, > - note_start + note_offs + > - ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr), > - nhdr->n_descsz); > - memset(build_id + nhdr->n_descsz, 0, > - BUILD_ID_SIZE_MAX - nhdr->n_descsz); > + name_sz == note_name_sz && > + strcmp((char *)(nhdr + 1), note_name) == 0 && Please change this to something like "memcmp((char *)(nhdr + 1), note_name, note_name_sz) == 0" to ensure that we can't run off the end of the page if there are no null bytes in the rest of the page. [...] > @@ -90,8 +97,8 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, > for (i = 0; i < ehdr->e_phnum; ++i) { Please change this to "for (i = 0; i < phnum; ++i) {" like in the 64-bit version. With these two changes applied: Reviewed-by: Jann Horn <jannh@xxxxxxxxxx>