The note_data at ptr is read as a nhdr but this may yield
out-of-bounds reads if there isn't nhdrs worth of data. Be more
defensive before doing the reads. This is motivated by address
sanitizer capturing out of bounds reads running "perf top".

Signed-off-by: Ian Rogers <irogers@google.com>
---
 tools/perf/util/symbol-minimal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c
index 41e4ebe5eac5..aeb253248895 100644
--- a/tools/perf/util/symbol-minimal.c
+++ b/tools/perf/util/symbol-minimal.c
@@ -42,7 +42,7 @@ static int read_build_id(void *note_data, size_t note_len, struct build_id *bid,
 	void *ptr;
 
 	ptr = note_data;
-	while (ptr < (note_data + note_len)) {
+	while ((ptr + sizeof(*nhdr)) < (note_data + note_len)) {
 		const char *name;
 		size_t namesz, descsz;
 
-- 
2.51.0.384.g4c02a37b29-goog

On Sun, Sep 14, 2025 at 11:31:31AM -0700, Ian Rogers wrote:
> The note_data at ptr is read as a nhdr but this may yield
> out-of-bounds reads if there isn't nhdrs worth of data. Be more
> defensive before doing the reads. This is motivated by address
> sanitizer capturing out of bounds reads running "perf top".

Thanks, applied to perf-tools-next,

- Arnaldo
 
> Signed-off-by: Ian Rogers <irogers@google.com>
> ---
>  tools/perf/util/symbol-minimal.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c
> index 41e4ebe5eac5..aeb253248895 100644
> --- a/tools/perf/util/symbol-minimal.c
> +++ b/tools/perf/util/symbol-minimal.c
> @@ -42,7 +42,7 @@ static int read_build_id(void *note_data, size_t note_len, struct build_id *bid,
>  	void *ptr;
>  
>  	ptr = note_data;
> -	while (ptr < (note_data + note_len)) {
> +	while ((ptr + sizeof(*nhdr)) < (note_data + note_len)) {
>  		const char *name;
>  		size_t namesz, descsz;
>  
> -- 
> 2.51.0.384.g4c02a37b29-goog