api.c: prevent array out-of-bounds access in cgroup_parse_rules_file

In the function src/api.c/cgroup_parse_rules_file, the condition of loop:

for (i = 0; lst->tail->controllers[i]; i++)
        cgroup_dbg(" %s", lst->tail->controllers[i]);

allows accessing lst->tail->controllers[MAX_MNT_ELEMENTS] if
lst->tail->controllers is full and lacks a terminating NULL.

Add explicit bounds checking (i < MAX_MNT_ELEMENTS) while maintaining
the NULL check. This ensures that there will never be reading past the
array boundaries regardless of its content.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Acked-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>

diff --git a/src/api.c b/src/api.c
index ec81da0ca1388de2cb8e372efcf0f1130108dc37..2b539acd0b872860f39b2778ae7e3223c09a41a4 100644 (file)
--- a/src/api.c
+++ b/src/api.c
@@ -974,7 +974,7 @@ static int cgroup_parse_rules_file(char *filename, bool cache, uid_t muid, gid_t
                           lst->tail->username, lst->tail->uid, lst->tail->gid,
                           lst->tail->destination);
 
-               for (i = 0; lst->tail->controllers[i]; i++)
+               for (i = 0; i < MAX_MNT_ELEMENTS && lst->tail->controllers[i]; i++)
                        cgroup_dbg(" %s", lst->tail->controllers[i]);
                cgroup_dbg("\n");
        }