perf Event Group Heap Overflow

Vulnerability analysis

Root Cause: The perf_event_validate_size() function only validated the size of newly added events without checking that existing events in the group would also have their read_size recalculated when the new event is attached. Since events can have different read_format attributes, adding a new event could cause existing events' read_size to overflow the 16KB limit, leading to heap out-of-bounds writes in perf_read_group().

Attack Surface: Local attack surface requiring the ability to create perf events. Attackers need sufficient privileges to use the perf_event_open() system call, which typically requires CAP_SYS_ADMIN or relaxed perf_event_paranoid settings. The vulnerability is triggered when adding events to performance monitoring groups with specific read_format configurations.

Fix Mechanism: The patch refactors perf_event_validate_size() to check all events in the group (the new event, group leader, and all siblings) to ensure their read_size would not exceed 16KB after the new event is added. It also extracts the size calculation logic into a separate __perf_event_read_size() function that takes read_format and nr_siblings as parameters, making validation more comprehensive.