From: Kamalesh Babulal Date: Thu, 12 Mar 2026 03:39:43 +0000 (+0530) Subject: config: pass NULL when probing systemd default cgroup X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;p=thirdparty%2Flibcgroup.git config: pass NULL when probing systemd default cgroup ASan reported following global-buffer-overflow: READ of size 1 at 0x7f50dc6b3e9f thread T0 #0 0x... in cg_concat_path /src/api.c:1769 #1 0x... in cg_build_path_locked /src/api.c:1889 #2 0x... in cg_build_path /src/api.c:1910 #3 0x.. in systemd_default_cgroup_exists /src/config.c:2258 #4 0x.. in cgroup_set_default_systemd_cgroup /src/config.c:2306 #5 0x... in main /src/tools/cgdelete.c:193 #6 0x... in __libc_start_call_main (/lib64/libc.so.6+0x2a60f) #7 0x... in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a6bf) #8 0x... in _start (/usr/local/bin/cgdelete+0x402384) 0x... sits one byte to the left of the empty string literal '.LC3' that systemd_default_cgroup_exists() handed to cg_build_path(). Passing an empty suffix made cg_concat_path() evaluate suf[-1] while it decided whether to append a trailing slash, triggering the ASan global-buffer-overflow. Fix by passing NULL, instead of "" (empty string) so cg_build_path() skips the suffix concatenation entirely. The resulting canonical paths are unchanged, but cgdelete (and any other caller) now runs without trampling the adjacent literal. Fixes: https://github.com/libcgroup/libcgroup/issues/526 Signed-off-by: Kamalesh Babulal Signed-off-by: Tom Hromatka --- diff --git a/src/config.c b/src/config.c index da208f82..0d7acd33 100644 --- a/src/config.c +++ b/src/config.c @@ -2264,12 +2264,12 @@ static bool systemd_default_cgroup_exists(void) * check for empty cgroup v2, the most common usage in * the hybrid case. */ - if (cg_build_path("", path, NULL)) + if (cg_build_path(NULL, path, NULL)) break; case CGROUP_MODE_UNIFIED: /* fallthrough */ case CGROUP_MODE_LEGACY: - cg_build_path("", path, "cpu"); + cg_build_path(NULL, path, "cpu"); /* fallthrough */ case CGROUP_MODE_UNK: break;