arch/m68k/kernel/uboot.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
When the size of commandp >= size, array out of bound write occurs because
len == 0.
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
arch/m68k/kernel/uboot.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c
index 928dbd33fc4a..05eca6f653b5 100644
--- a/arch/m68k/kernel/uboot.c
+++ b/arch/m68k/kernel/uboot.c
@@ -101,5 +101,8 @@ __init void process_uboot_commandline(char *commandp, int size)
}
parse_uboot_commandline(commandp, len);
- commandp[len - 1] = 0;
+ if (len > 0)
+ commandp[len - 1] = 0;
+ else
+ commandp[0] = 0;
}
--
2.25.1
On Dez 27 2021, Hangyu Hua wrote: > diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c > index 928dbd33fc4a..05eca6f653b5 100644 > --- a/arch/m68k/kernel/uboot.c > +++ b/arch/m68k/kernel/uboot.c > @@ -101,5 +101,8 @@ __init void process_uboot_commandline(char *commandp, int size) > } > > parse_uboot_commandline(commandp, len); > - commandp[len - 1] = 0; > + if (len > 0) > + commandp[len - 1] = 0; > + else > + commandp[0] = 0; If len == 0 then even commandp[0] is OOB. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
But commandp[len -1] is used to add a zero-terminated. If we don't use commandp[0]=0 in len == 0, than commandp will not have a zero-terminated. I think strings may make some errors beacause of this. Thanks. Andreas Schwab <schwab@linux-m68k.org> 于2021年12月27日周一 17:19写道: > > On Dez 27 2021, Hangyu Hua wrote: > > > diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c > > index 928dbd33fc4a..05eca6f653b5 100644 > > --- a/arch/m68k/kernel/uboot.c > > +++ b/arch/m68k/kernel/uboot.c > > @@ -101,5 +101,8 @@ __init void process_uboot_commandline(char *commandp, int size) > > } > > > > parse_uboot_commandline(commandp, len); > > - commandp[len - 1] = 0; > > + if (len > 0) > > + commandp[len - 1] = 0; > > + else > > + commandp[0] = 0; > > If len == 0 then even commandp[0] is OOB. > > -- > Andreas Schwab, schwab@linux-m68k.org > GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 > "And now for something completely different."
On Dez 27 2021, Hangyu Hua wrote: > If we don't use > commandp[0]=0 in len == 0, > than commandp will not have a zero-terminated. That doesn't make sense. There is no room for the zero. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
You are right. I will resubmit the patch later. Thanks. Andreas Schwab <schwab@linux-m68k.org> 于2021年12月27日周一 19:56写道: > > On Dez 27 2021, Hangyu Hua wrote: > > > If we don't use > > commandp[0]=0 in len == 0, > > than commandp will not have a zero-terminated. > > That doesn't make sense. There is no room for the zero. > > -- > Andreas Schwab, schwab@linux-m68k.org > GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 > "And now for something completely different."
© 2016 - 2026 Red Hat, Inc.