aboutsummaryrefslogtreecommitdiffstats
diff options
authorArnaldo Carvalho de Melo <acme@redhat.com>2026-06-13 13:59:39 -0300
committerArnaldo Carvalho de Melo <acme@redhat.com>2026-06-17 09:21:03 -0300
commitfe63d3bca288c5bb983304efd5fc3a5ff3183403 (patch)
tree98d4d90a698d425c5fb056c28d15965db5185c01
parent8a4506595857356fcef9f7aad3506593e9fabbbc (diff)
downloadath-fe63d3bca288c5bb983304efd5fc3a5ff3183403.tar.gz
perf machine: Use snprintf() for guestmount path construction
machines__findnew() and machines__create_guest_kernel_maps() use sprintf() to build paths by prepending symbol_conf.guestmount. Both write into PATH_MAX stack buffers, but guestmount comes from user configuration and is not length-checked. A guestmount path at or near PATH_MAX causes a stack buffer overflow. Switch to snprintf() with sizeof() to prevent overflow. The subsequent access()/fopen() calls will fail on a truncated path. Fixes: a1645ce12adb6c9c ("perf: 'perf kvm' tool for monitoring guest performance from host") Reported-by: sashiko-bot <sashiko-bot@kernel.org> Cc: Zhang, Yanmin <yanmin_zhang@linux.intel.com> Assisted-by: Claude:claude-opus-4.6 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-rw-r--r--tools/perf/util/machine.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
index 9329d319bd033..0d2ebf6a84bcf 100644
--- a/tools/perf/util/machine.c
+++ b/tools/perf/util/machine.c
@@ -333,7 +333,7 @@ struct machine *machines__findnew(struct machines *machines, pid_t pid)
if ((pid != HOST_KERNEL_ID) &&
(pid != DEFAULT_GUEST_KERNEL_ID) &&
(symbol_conf.guestmount)) {
- sprintf(path, "%s/%d", symbol_conf.guestmount, pid);
+ snprintf(path, sizeof(path), "%s/%d", symbol_conf.guestmount, pid);
if (access(path, R_OK)) {
static struct strlist *seen;
@@ -1260,9 +1260,9 @@ int machines__create_guest_kernel_maps(struct machines *machines)
namelist[i]->d_name);
continue;
}
- sprintf(path, "%s/%s/proc/kallsyms",
- symbol_conf.guestmount,
- namelist[i]->d_name);
+ snprintf(path, sizeof(path), "%s/%s/proc/kallsyms",
+ symbol_conf.guestmount,
+ namelist[i]->d_name);
ret = access(path, R_OK);
if (ret) {
pr_debug("Can't access file %s\n", path);