]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline()
authorBreno Leitao <leitao@debian.org>
Fri, 26 Jun 2026 12:50:10 +0000 (05:50 -0700)
committerMasami Hiramatsu (Google) <mhiramat@kernel.org>
Tue, 30 Jun 2026 23:08:27 +0000 (08:08 +0900)
commitdec4d8118c179b3d12bca7e609054c6011c4f2ce
tree16b2b8afa515f8e35079009a8dd60722ac83592a
parentdc59e4fea9d83f03bad6bddf3fa2e52491777482
bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline()

xbc_snprint_cmdline() is meant to be called twice: first with
buf=NULL, size=0 to probe the rendered length, then with a real
buffer to fill it (the standard snprintf() two-pass pattern). The
probe call makes the function compute "buf + size" (NULL + 0) and,
on every iteration, advance "buf += ret" from that NULL base and
pass the result back into snprintf().

Pointer arithmetic on a NULL pointer is undefined behavior. It is
harmless in the in-kernel callers today, but the follow-up patches
run this same code in the userspace tools/bootconfig parser at kernel
build time, where host UBSan / FORTIFY_SOURCE abort the build.

Track a running written length (size_t) instead of mutating @buf, and
only form "buf + len" when @buf is non-NULL. snprintf(NULL, 0, ...)
is itself well defined and returns the would-be length, so the
two-pass "probe then fill" usage returns identical byte counts.

Link: https://lore.kernel.org/all/20260626-bootconfig_using_tools-v7-1-24ab72139c29@debian.org/
Fixes: 51887d03aca1 ("bootconfig: init: Allow admin to use bootconfig for kernel command line")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
lib/bootconfig.c