]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline()
authorBreno Leitao <leitao@debian.org>
Fri, 26 Jun 2026 12:50:10 +0000 (05:50 -0700)
committerMasami Hiramatsu (Google) <mhiramat@kernel.org>
Tue, 30 Jun 2026 23:08:27 +0000 (08:08 +0900)
xbc_snprint_cmdline() is meant to be called twice: first with
buf=NULL, size=0 to probe the rendered length, then with a real
buffer to fill it (the standard snprintf() two-pass pattern). The
probe call makes the function compute "buf + size" (NULL + 0) and,
on every iteration, advance "buf += ret" from that NULL base and
pass the result back into snprintf().

Pointer arithmetic on a NULL pointer is undefined behavior. It is
harmless in the in-kernel callers today, but the follow-up patches
run this same code in the userspace tools/bootconfig parser at kernel
build time, where host UBSan / FORTIFY_SOURCE abort the build.

Track a running written length (size_t) instead of mutating @buf, and
only form "buf + len" when @buf is non-NULL. snprintf(NULL, 0, ...)
is itself well defined and returns the would-be length, so the
two-pass "probe then fill" usage returns identical byte counts.

Link: https://lore.kernel.org/all/20260626-bootconfig_using_tools-v7-1-24ab72139c29@debian.org/
Fixes: 51887d03aca1 ("bootconfig: init: Allow admin to use bootconfig for kernel command line")
Cc: stable@vger.kernel.org
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
lib/bootconfig.c

index f445b7703fdd966c24596987455605e2a7d44c6e..2ed9ee3dc81c725810633a63fdbe109855a99bd6 100644 (file)
@@ -427,10 +427,18 @@ static char xbc_namebuf[XBC_KEYLEN_MAX] __initdata;
 int __init xbc_snprint_cmdline(char *buf, size_t size, struct xbc_node *root)
 {
        struct xbc_node *knode, *vnode;
-       char *end = buf + size;
        const char *val, *q;
+       size_t len = 0;
        int ret;
 
+       /*
+        * Track the running written length rather than advancing @buf, so we
+        * never form "buf + size" or "buf += ret" while @buf is NULL (the
+        * size-probe call passes buf=NULL, size=0). NULL pointer arithmetic
+        * is undefined behavior and trips host UBSan / FORTIFY_SOURCE when
+        * this renderer runs at kernel build time. snprintf(NULL, 0, ...)
+        * itself is well defined and returns the would-be length.
+        */
        xbc_node_for_each_key_value(root, knode, val) {
                ret = xbc_node_compose_key_after(root, knode,
                                        xbc_namebuf, XBC_KEYLEN_MAX);
@@ -439,10 +447,11 @@ int __init xbc_snprint_cmdline(char *buf, size_t size, struct xbc_node *root)
 
                vnode = xbc_node_get_child(knode);
                if (!vnode) {
-                       ret = snprintf(buf, rest(buf, end), "%s ", xbc_namebuf);
+                       ret = snprintf(buf ? buf + len : NULL, rest(len, size),
+                                      "%s ", xbc_namebuf);
                        if (ret < 0)
                                return ret;
-                       buf += ret;
+                       len += ret;
                        continue;
                }
                xbc_array_for_each_value(vnode, val) {
@@ -452,15 +461,15 @@ int __init xbc_snprint_cmdline(char *buf, size_t size, struct xbc_node *root)
                         * whitespace.
                         */
                        q = strpbrk(val, " \t\r\n") ? "\"" : "";
-                       ret = snprintf(buf, rest(buf, end), "%s=%s%s%s ",
-                                      xbc_namebuf, q, val, q);
+                       ret = snprintf(buf ? buf + len : NULL, rest(len, size),
+                                      "%s=%s%s%s ", xbc_namebuf, q, val, q);
                        if (ret < 0)
                                return ret;
-                       buf += ret;
+                       len += ret;
                }
        }
 
-       return buf - (end - size);
+       return len;
 }
 #undef rest