From nobody Mon Jun 8 09:52:57 2026 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE35B2367DF for ; Sat, 30 May 2026 04:48:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780116509; cv=none; b=MsfBSZa8M50qB5sJiyjyPflaj82yto41Fp4La3XAK4PKoWlruZIJB8DxS1sIaFhFvf8sEzBozYAdQmkm571vrgA4DU4+jigHy8t5v41DSLUHd02Rlb6vn9gRYd16jinB/vIH7W87V7yu5majPK858o2F1AnpHyFqhOjLIQAXXnw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780116509; c=relaxed/simple; bh=I6Ut+gVj05jHa0IJLOFCJdIVKPiPW8XF33m1bpTcVCQ=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=pC8KFm/K9ATYNbaFs1aWTneG1DLb9srPwSPM11G8X5E5b9nhTbyieToKPLYYnUG6ZUvxtPN8OXVPRV68fMqfoh2hxPi9nlttbTQIfYBg4BhXWPvzEfiH/PhdNjvsDuacyRfSbuIQh0ALtM8yU34PcFNbCRpqPS6LEkbhYvrKz14= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AzYCM4vR; arc=none smtp.client-ip=209.85.215.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AzYCM4vR" Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-c8588ec1b44so237440a12.1 for ; Fri, 29 May 2026 21:48:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780116507; x=1780721307; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=4gQL50ZPCXD9wSCyLl1bLwbLNdGJXD52dybLjkCAYKE=; b=AzYCM4vRejxLiiYqzK1Zvclhuv8yQg3tegWhbJNQFB+wO/ne9FQc3+Bt8ZFy/RwYbr rsXwxwbWQvAWKX3mOCS0qeTBlOuaUQ+ddNvh1I3oQPPhUyl5GC4VRQHYAw+10A6tDsdO WTqQ9G/0yahNXTZxBwGrEEZUBFcRodWo8dFllHZZ+fBR6zIpsculCBMykxHJgc0DCk72 dL9aAmx0goRk789X36JN8VdIOCGOzjV4r3HMvVfdiWRG7GoMgEtTztfsbuvKx3WAcgQr 75o58HVV689sqPRP6VdZL8Vdihi4qSkQ1cPC2lcEfNNtHiAnBKiGzZF4e0e0580FItuR CRAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780116507; x=1780721307; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4gQL50ZPCXD9wSCyLl1bLwbLNdGJXD52dybLjkCAYKE=; b=nn0D3OIMhKKgSQ60UTcPyin1qKaornZLhzOXwAca6rT4na53jAHJxzlYaZZp2tGqnc /WQ5qpTu/AsSya5+ChOjlpNdzFZ7c6O+oO/+vUuFkaNOaJ4aHJJZXXWSP5i+nI7oL4QI oD9aClYhKthPa19hUrCBDxISp+TuB9knVQojyo/y2TUjbyyGIwG/hkzjxrJ4oT9K2Bqw aQlWWGnJE5FUBzXPB2NlrhyUKl+j1kldxV8rqa7Ux40AMwRbdOuA/EBNgGZ4iaV2j/5J OXSRNQEbw9P0UYPkqeAeuGPqrB6e/ptlrlNjbJ98Cxi6egq9NWsdU6WZcTtdbbBNp9kQ gnIA== X-Forwarded-Encrypted: i=1; AFNElJ8MmrEBn5oxBgA4nwiZoc0E6hIv3zjjL/0st9ylSKojhJ6qCJ86Xwi7+Sg/vTLnpl7nlgF0ZwgH8wKamjw=@vger.kernel.org X-Gm-Message-State: AOJu0YzKBySUoem+4kBDujeOJi27XnYSbBsaakeZYntrD8QDEK4/MsK5 Y8HnDakWpoeBDATdMZOK9kyncE3Cd127vQQsYo89B+o8O8OE3QNrtdiKqAokug== X-Gm-Gg: Acq92OHPCuiqQSOn2rnu9AXpNsfUqFqWKSxyr9ctfaVC/vTQSLxaPh5QofZ46Sa2Ce9 aJKHKxATf4moebFsP4gsKG+CPlCwSJQndDfc0EL5GuKvbtBu2W1xddPbIrrElHSEgmw7YsUjFR1 4o+bpYgh9lkHIOQ+tQ/rZGS7w/B6jhY1nWYE6+O/KA4dA3r46LPtlrOufVTsp5IhqZOFF4qnzmD ePxfRSgm6yYCh+pWNjxpDHJ2DygUAWOXrnUW1gr7cVaTllgshKy3L7U2lNO54w/pLdiyW99hKu7 9Kb1xYzyp+GJw5fDYviGzzheqUTboyVOJvxwHRtKvzFGq/PWx1HniXC59TOLjQocNV30DR5F/5v uSCU8I7/KxZr9cSiNTOJRr8fw1O1c3f6lt8QTlRiyMAgNGsa+oZpYv28qmQy2SqYS5OPvrEVJZG vZDCZAe3MIz32lt23PTnuXkgg2p3eUlq5kJpQ= X-Received: by 2002:a05:6a20:9c89:b0:398:9662:110e with SMTP id adf61e73a8af0-3b427f88b6cmr2373252637.8.1780116507120; Fri, 29 May 2026 21:48:27 -0700 (PDT) Received: from localhost ([2405:201:4027:a919:e2b2:8560:26ea:4d1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c8583333e80sm1355446a12.18.2026.05.29.21.48.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 21:48:26 -0700 (PDT) Date: Sat, 30 May 2026 10:18:24 +0530 From: Naveen Kumar Chaudhary To: pmladek@suse.com, linux-kernel@vger.kernel.org Subject: [PATCH] printk: fix out-of-bounds access in try_enable_preferred_console() Message-ID: <7sq4tr2nmlz32tvkf6vpsghv6exvqfghsrlvywjcqihzsqqbf7@bspclmti5xg4> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When all MAX_CMDLINECONSOLES (8) slots in console_cmdline[] are occupied and none match the newly registered console, the for loop exits with i =3D=3D MAX_CMDLINECONSOLES and c pointing past the end of the array. The subsequent access to c->user_specified is then an out-of-bounds read. This can occur when a self-enabling console (one with CON_ENABLED already set), such as netconsole or pstore, calls register_console() on a system where the console_cmdline[] array has been filled by a combination of command-line console=3D parameters, ACPI SPCR, device tree stdout-path, and/or arch-specific add_preferred_console() calls. Add a bounds check to ensure c is only dereferenced when the loop exited due to finding an empty slot (i.e., c still points within the array). Also add parentheses around the bitwise-AND to silence compiler warnings about its use in a boolean context. Signed-off-by: Naveen Kumar Chaudhary --- kernel/printk/printk.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index 0323149548f6..00282ca467fd 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -3938,7 +3938,8 @@ static int try_enable_preferred_console(struct consol= e *newcon, * without matching. Accept the pre-enabled consoles only when match() * and setup() had a chance to be called. */ - if (newcon->flags & CON_ENABLED && c->user_specified =3D=3D user_specifie= d) + if (i < MAX_CMDLINECONSOLES && (newcon->flags & CON_ENABLED) && + c->user_specified =3D=3D user_specified) return 0; =20 return -ENOENT; --=20 2.43.0