perf tools: Check we are able to read the event size on mmap

Check we have enough mmaped space to read the current event size from its headers, otherwise we may dereference some hell there. Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Stephane Eranian <eranian@google.com>

perf tools: Check we are able to read the event size on mmap
Check we have enough mmaped space to read the current event size from its headers, otherwise we may dereference some hell there. Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Stephane Eranian <eranian@google.com>
Frederic Weisbecker
1 parent c5fc472171
Showing 1 changed file with 7 additions and 0 deletions Side-by-side Diff
tools/perf/util/session.c
@@ -1007,6 +1007,13 @@
 	file_pos = file_offset + head;
  
 more:
+	/*
+	 * Ensure we have enough space remaining to read
+	 * the size of the event in the headers.
+	 */
+	if (head + sizeof(event->header) > mmap_size)
+		goto remap;
+
 	event = (union perf_event *)(buf + head);
  
 	if (session->header.needs_swap)
...	...	@@ -1007,6 +1007,13 @@
1007	1007	file_pos = file_offset + head;
1008	1008
1009	1009	more:
	1010	+ /*
	1011	+ * Ensure we have enough space remaining to read
	1012	+ * the size of the event in the headers.
	1013	+ */
	1014	+ if (head + sizeof(event->header) > mmap_size)
	1015	+ goto remap;
	1016	+
1010	1017	event = (union perf_event *)(buf + head);
1011	1018
1012	1019	if (session->header.needs_swap)