Commit ebe07a9d authored by Young Xiao's avatar Young Xiao Committed by Greg Kroah-Hartman

Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var

[ Upstream commit b281218a ]

There is an out-of-bounds access to "config[len - 1]" array when the
variable "len" is zero.

See commit dada6a43 ("kgdboc: fix KASAN global-out-of-bounds bug
in param_set_kgdboc_var()") for details.
Signed-off-by: default avatarYoung Xiao <YangX92@hotmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent f6440636
...@@ -1135,7 +1135,7 @@ static void kgdbts_put_char(u8 chr) ...@@ -1135,7 +1135,7 @@ static void kgdbts_put_char(u8 chr)
static int param_set_kgdbts_var(const char *kmessage, static int param_set_kgdbts_var(const char *kmessage,
const struct kernel_param *kp) const struct kernel_param *kp)
{ {
int len = strlen(kmessage); size_t len = strlen(kmessage);
if (len >= MAX_CONFIG_LEN) { if (len >= MAX_CONFIG_LEN) {
printk(KERN_ERR "kgdbts: config string too long\n"); printk(KERN_ERR "kgdbts: config string too long\n");
...@@ -1155,7 +1155,7 @@ static int param_set_kgdbts_var(const char *kmessage, ...@@ -1155,7 +1155,7 @@ static int param_set_kgdbts_var(const char *kmessage,
strcpy(config, kmessage); strcpy(config, kmessage);
/* Chop out \n char as a result of echo */ /* Chop out \n char as a result of echo */
if (config[len - 1] == '\n') if (len && config[len - 1] == '\n')
config[len - 1] = '\0'; config[len - 1] = '\0';
/* Go and configure with the new params. */ /* Go and configure with the new params. */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment