[PATCH linux-next] init/do_mounts: fix potential memory out of bounds access

From: cgel . zte
Date: Mon Sep 13 2021 - 07:43:45 EST

Next message: Michal Hocko: "Re: [PATCH v2] mm/page_alloc: detect allocation forbidden by cpuset and bail out early"
Previous message: Jan Kiszka: "[RFC][PATCH] watchdog: rti-wdt: Provide set_timeout handler to make existing userspace happy"
Next in thread: Jan Kara: "Re: [PATCH linux-next] init/do_mounts: fix potential memory out of bounds access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: xu xin <xu.xin16@xxxxxxxxxx>

Initially the pointer "p" points to the start of "pages".
In the loop "while(*p++) {...}", it ends when "*p" equals
to zero. Just after that, the pointer "p" moves forward
with "p++", so "p" may points ouf of "pages".

furthermore, it is no use to set *p = '\0', so we remove it.

Reported-by: Zeal Robot <zealci@xxxxxxxxxx>
Acked-by: zhang yunkai<zhang.yunkai@xxxxxxxxxx>
Signed-off-by: xu xin <xu.xin16@xxxxxxxxxx>
---
init/do_mounts.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/init/do_mounts.c b/init/do_mounts.c
index 2ed30ff6c906..ee1172599249 100644
--- a/init/do_mounts.c
+++ b/init/do_mounts.c
@@ -348,7 +348,6 @@ static int __init split_fs_names(char *page, char *names)
if (p[-1] == ',')
p[-1] = '\0';
}
- *p = '\0';

for (p = page; *p; p += strlen(p)+1)
count++;
--
2.25.1

Next message: Michal Hocko: "Re: [PATCH v2] mm/page_alloc: detect allocation forbidden by cpuset and bail out early"
Previous message: Jan Kiszka: "[RFC][PATCH] watchdog: rti-wdt: Provide set_timeout handler to make existing userspace happy"
Next in thread: Jan Kara: "Re: [PATCH linux-next] init/do_mounts: fix potential memory out of bounds access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]