From a34831579172371ec55272b07e5f2995eea1459f Mon Sep 17 00:00:00 2001
From: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Date: Wed, 11 Jun 2025 16:37:46 +0300
Subject: [PATCH] api.c: prevent array out-of-bounds access in
 cgroup_create_template_group

In the function src/api.c/cgroup_create_template_group,
the loop condition:

while (tmp->controllers[i] != NULL) {

allows accessing tmp->controllers[MAX_MNT_ELEMENTS] if tmp->controllers
is full and lacks a terminating NULL.

Add explicit bounds checking (i < MAX_MNT_ELEMENTS) while maintaining
the NULL check. This ensures that there will never be reading past
the array boundaries regardless of its content.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Acked-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---
 src/api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api.c b/src/api.c
index 44032f50..ec81da0c 100644
--- a/src/api.c
+++ b/src/api.c
@@ -4591,7 +4591,7 @@ static int cgroup_create_template_group(char *orig_group_name, struct cgroup_rul
 
 		/* Test for which controllers wanted group does not exist */
 		i = 0;
-		while (tmp->controllers[i] != NULL) {
+		while (i < MAX_MNT_ELEMENTS && tmp->controllers[i] != NULL) {
 			exist = cgroup_exist_in_subsystem(tmp->controllers[i], group_name);
 
 			if (exist != 0) {
-- 
2.47.3