bpf: use correct loop bound for conf->cpus traversal in cpuinfo map c…

…reation

We were using the wrong bound, causing a buffer overrun on machines with
online CPUs that do not have sequential CPU IDs.

(Add an assertion to verify that there are never more online CPUs
than possible CPUs.)

Orabug: 36356681
Signed-off-by: Nick Alcock <nick.alcock@oracle.com>
Reviewed-by: Kris Van Hees <kris.van.hees@oracle.com>

libdtrace/dt_bpf.c

@@ -1,6 +1,6 @@
 /*
  * Oracle Linux DTrace.
- * Copyright (c) 2019, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -613,10 +613,13 @@ gmap_create_cpuinfo(dtrace_hdl_t *dtp)
 	int			i, rc;
 	uint32_t		key = 0;
 	dtrace_conf_t		*conf = &dtp->dt_conf;
-	size_t			ncpus = conf->max_cpuid + 1;
+	size_t			ncpus = conf->num_online_cpus;
 	dt_bpf_cpuinfo_t	*data;
 	cpuinfo_t		*ci;
 
+	/*
+	 * num_possible_cpus <= num_online_cpus: see dt_conf_init.
+	 */
 	data = dt_calloc(dtp, dtp->dt_conf.num_possible_cpus,
 			 sizeof(dt_bpf_cpuinfo_t));
 	if (data == NULL)

libdtrace/dt_conf.c

@@ -1,6 +1,6 @@
 /*
  * Oracle Linux DTrace.
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -98,6 +98,8 @@ dt_conf_init(dtrace_hdl_t *dtp)
 	if (conf->num_online_cpus == 0 || conf->cpus == NULL)
 		return;
 
+	assert(conf->num_possible_cpus >= conf->num_online_cpus);
+
 	conf->max_cpuid = conf->cpus[conf->num_online_cpus - 1].cpu_id;
 
 	/* Retrieve the chip ID (physical_package_id) for each CPU. */