From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56C1625F7B9; Tue, 23 Jun 2026 16:16:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782231408; cv=none; b=cq2Z/UNlt8vpKKPPqoXKqU6C460ITgsreBEMda58N8a9A1l0TEmEY36RXpfhTawyd5MFM/cK4FegVLKWwTpO8EJeLP6xnttikvDwJ3YplskdM54hzi66qXTgXbMjDXxpmEcqQLXqDZdhYcTMEWobOB9N3VN3PN4Hs6YVPBFjyfU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782231408; c=relaxed/simple; bh=FONYNlnjtYQKKhWdd3PPsq2YJhbR1niQBio60BndP/A=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=jYKm0am7PM4b2OrpEuvVyr8czp3zxRd2PMNXTUEfTUm279Befea3MjmJwvheARkNiosYbsftwLSBsF1p9vv5umFWZtmhXLbWcZOk6b3fkLJhREolwUqQl3i8L8wzQw+3f79WIVrOQpkIA/KZzGLkR5S2D6gb7HGgubJTXwzwjrc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=AK9pFu8/; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="AK9pFu8/" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=edR1O+4zo8Kn4wUlhsD/K514WXfjjVwDAwj4dTB/RZ0=; b=AK9pFu8/7WIaRXujwneKamKAtg ZXz+Q0ZGvGKNUq7vDBGV90Yb5cu03aicKLmLwOMyvdR8NKrzmMuXNbclXb9uqqYl+lQprF1SYYE8x OT4ISt4nEYN0GrrmxDpesbCqLYEpWktowP6kqvxCpZqbcGTJbA/W/t2QNWZSzqTsMcQ1uWfRffwVa ziCSC9ro8fK172GPqQNEgZ2SYE8eUI3EU7kbEWvn0Bg1JH8IXROWdJkR1PbcyQqdhPw9sMvImApzW MIFoNM9mivT00pAeI971OYc3OLgQJ6vbpl4GhQZdqzs/kOi7fJSDNg1gei95S+NkoZ5hq2Mq7tZSk 9ICnizvA==; Received: from authenticated-user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wc3ng-001m2D-0I; Tue, 23 Jun 2026 16:16:36 +0000 From: Breno Leitao Date: Tue, 23 Jun 2026 09:15:28 -0700 Subject: [PATCH v6 1/8] bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline() Precedence: bulk X-Mailing-List: linux-doc@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260623-bootconfig_using_tools-v6-1-640c2f587a3c@debian.org> References: <20260623-bootconfig_using_tools-v6-0-640c2f587a3c@debian.org> In-Reply-To: <20260623-bootconfig_using_tools-v6-0-640c2f587a3c@debian.org> To: Masami Hiramatsu , Andrew Morton , Nathan Chancellor , paulmck@kernel.org, Nicolas Schier , Nick Desaulniers , Bill Wendling , Justin Stitt , Jonathan Corbet , Shuah Khan Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, bpf@vger.kernel.org, llvm@lists.linux.dev, linux-doc@vger.kernel.org, Breno Leitao , kernel-team@meta.com X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=3061; i=leitao@debian.org; h=from:subject:message-id; bh=FONYNlnjtYQKKhWdd3PPsq2YJhbR1niQBio60BndP/A=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBqOrFXrQWaPmV8VMSMrkNzJiOp5bCRe8ovmDvMH j4rUNVDMIyJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCajqxVwAKCRA1o5Of/Hh3 bXEFEACHM9OAqeePpJ0wSOMVYrB0X72/XihYLu8zbZf22IB5dRtZTDyFsTAV0O0WR88NOScta5p 4DapYn0iVuJrNwbSaRLMHOJ7g+LJkPUX2M3fpj3IBIbTbDyt3BReL+SGSHMSbUM+3yqNqP3776p xcU8RK2+5wWYIptQCBwj79i9lN/WhIFMr8LQLz0MR2NYJ15CUyM7US/XOZLqEGYY6ID8ar289WT LkxLYFu6Acmf/dCA82/gxkzhyhDmYBaqRcebTyXmnZZ0dWEkdlX9os5HXyu2d3Ybrt2EoA/+C6W lonbv4PZwoJO5jFvKQHoYrPZsdxmacnJhp05YkmrDRWt+sorIYjbMcULO7znQbCpADPR3wgCm3r f4EHoGAi2+C+81VY9SWGaO5kwiVws9ZcPqh+qVEBl7g/LBq7CzjZgs2I/xZTSM7Ess6HcqrVqYH 6Dzkdh0wK6/+AbV3KW1iVQool9UZiojWFj86cgIbjeGse+afZVKAseosXG2Vz3fsw/bSfr/DlL1 Q/DX7gBeFeyMyaIyHwOjR7iok4pjXWfMlctzDtl56ZDDdfZ2bAsDJNfBl+Fd0wKYK5YeX/HSt/x ssSPQqxjqdhklG8H/JzoL1zPamN8LAMY+srBXOfPg5JeLPE1G3dE3qfqPJi7vlHDW5Qw7K3Wx1j nWkfo+MQv3kkU2g== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao xbc_snprint_cmdline() is meant to be called twice: first with buf=NULL, size=0 to probe the rendered length, then with a real buffer to fill it (the standard snprintf() two-pass pattern). The probe call makes the function compute "buf + size" (NULL + 0) and, on every iteration, advance "buf += ret" from that NULL base and pass the result back into snprintf(). Pointer arithmetic on a NULL pointer is undefined behavior. It is harmless in the in-kernel callers today, but the follow-up patches run this same code in the userspace tools/bootconfig parser at kernel build time, where host UBSan / FORTIFY_SOURCE abort the build. Track a running written length (size_t) instead of mutating @buf, and only form "buf + len" when @buf is non-NULL. snprintf(NULL, 0, ...) is itself well defined and returns the would-be length, so the two-pass "probe then fill" usage returns identical byte counts. Signed-off-by: Breno Leitao --- lib/bootconfig.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/lib/bootconfig.c b/lib/bootconfig.c index f445b7703fdd9..2ed9ee3dc81c7 100644 --- a/lib/bootconfig.c +++ b/lib/bootconfig.c @@ -427,10 +427,18 @@ static char xbc_namebuf[XBC_KEYLEN_MAX] __initdata; int __init xbc_snprint_cmdline(char *buf, size_t size, struct xbc_node *root) { struct xbc_node *knode, *vnode; - char *end = buf + size; const char *val, *q; + size_t len = 0; int ret; + /* + * Track the running written length rather than advancing @buf, so we + * never form "buf + size" or "buf += ret" while @buf is NULL (the + * size-probe call passes buf=NULL, size=0). NULL pointer arithmetic + * is undefined behavior and trips host UBSan / FORTIFY_SOURCE when + * this renderer runs at kernel build time. snprintf(NULL, 0, ...) + * itself is well defined and returns the would-be length. + */ xbc_node_for_each_key_value(root, knode, val) { ret = xbc_node_compose_key_after(root, knode, xbc_namebuf, XBC_KEYLEN_MAX); @@ -439,10 +447,11 @@ int __init xbc_snprint_cmdline(char *buf, size_t size, struct xbc_node *root) vnode = xbc_node_get_child(knode); if (!vnode) { - ret = snprintf(buf, rest(buf, end), "%s ", xbc_namebuf); + ret = snprintf(buf ? buf + len : NULL, rest(len, size), + "%s ", xbc_namebuf); if (ret < 0) return ret; - buf += ret; + len += ret; continue; } xbc_array_for_each_value(vnode, val) { @@ -452,15 +461,15 @@ int __init xbc_snprint_cmdline(char *buf, size_t size, struct xbc_node *root) * whitespace. */ q = strpbrk(val, " \t\r\n") ? "\"" : ""; - ret = snprintf(buf, rest(buf, end), "%s=%s%s%s ", - xbc_namebuf, q, val, q); + ret = snprintf(buf ? buf + len : NULL, rest(len, size), + "%s=%s%s%s ", xbc_namebuf, q, val, q); if (ret < 0) return ret; - buf += ret; + len += ret; } } - return buf - (end - size); + return len; } #undef rest -- 2.53.0-Meta