From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Wed, 11 Jun 2025 13:50:03 +0000 (+0300)
Subject: api.c: prevent array out-of-bounds access in cgroup_parse_rules_file
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e7dd5a903d078742b71de69227e944213231fa3;p=thirdparty%2Flibcgroup.git

api.c: prevent array out-of-bounds access in cgroup_parse_rules_file

In the function src/api.c/cgroup_parse_rules_file, the condition of loop:

for (i = 0; lst->tail->controllers[i]; i++)
        cgroup_dbg(" %s", lst->tail->controllers[i]);

allows accessing lst->tail->controllers[MAX_MNT_ELEMENTS] if
lst->tail->controllers is full and lacks a terminating NULL.

Add explicit bounds checking (i < MAX_MNT_ELEMENTS) while maintaining
the NULL check. This ensures that there will never be reading past the
array boundaries regardless of its content.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Acked-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit ce5749a5ba752d0e273e427fbd2bb68f9f846b64)
---

diff --git a/src/api.c b/src/api.c
index ec81da0c..2b539acd 100644
--- a/src/api.c
+++ b/src/api.c
@@ -974,7 +974,7 @@ static int cgroup_parse_rules_file(char *filename, bool cache, uid_t muid, gid_t
 			   lst->tail->username, lst->tail->uid, lst->tail->gid,
 			   lst->tail->destination);
 
-		for (i = 0; lst->tail->controllers[i]; i++)
+		for (i = 0; i < MAX_MNT_ELEMENTS && lst->tail->controllers[i]; i++)
 			cgroup_dbg(" %s", lst->tail->controllers[i]);
 		cgroup_dbg("\n");
 	}