tracing/probe: reject non-closed empty immediate strings

[ Upstream commit 4346be6577aaa04586167402ae87bbdbe32484a4 ]

parse_probe_arg() accepts quoted immediate strings and passes the body
after the opening quote to __parse_imm_string(). That helper currently
computes strlen(str) and immediately dereferences str[len - 1], which
underflows when the body is empty and not closed with double-quotation.

Reject empty non-closed immediate strings before checking for the closing quote.

Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/
Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index 2f571083ce9ec107c9ff3eb2f1374075f5fa77c7..8dc495561c3f93a11c472dd5b8e483759dcfc197 100644 (file)
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -1069,7 +1069,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
 {
        size_t len = strlen(str);
 
-       if (str[len - 1] != '"') {
+       if (!len || str[len - 1] != '"') {
                trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
                return -EINVAL;
        }