* [PATCH] kconfig: fix potential NULL pointer dereference in conf_askvalue
@ 2026-02-25 7:22 Xingjing Deng
2026-02-25 19:44 ` Nathan Chancellor
0 siblings, 1 reply; 5+ messages in thread
From: Xingjing Deng @ 2026-02-25 7:22 UTC (permalink / raw)
To: nathan, nsc, rdunlap, masahiroy; +Cc: linux-kbuild, linux-kernel, Xingjing Deng
In conf_askvalue(), the 'def' argument (retrieved via sym_get_string_value)
can be NULL. When the symbol is not changeable, the code calls
printf("%s\n", def), which leads to a segmentation fault on certain
systems/libc implementations when passing a NULL pointer to %s.
This patch adds a check to ensure 'def' is not NULL before printing.
Additionally, it removes the redundant re-initialization of the 'line'
buffer inside the !sym_is_changeable(sym) block, as it is already
initialized at the beginning of the function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xingjing Deng <micro6947@gmail.com>
---
scripts/kconfig/conf.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c
index a7b44cd8a..2771bc84e 100644
--- a/scripts/kconfig/conf.c
+++ b/scripts/kconfig/conf.c
@@ -297,9 +297,7 @@ static int conf_askvalue(struct symbol *sym, const char *def)
line[1] = 0;
if (!sym_is_changeable(sym)) {
- printf("%s\n", def);
- line[0] = '\n';
- line[1] = 0;
+ printf("%s\n", def ? def : "");
return 0;
}
@@ -307,7 +305,7 @@ static int conf_askvalue(struct symbol *sym, const char *def)
case oldconfig:
case syncconfig:
if (sym_has_value(sym)) {
- printf("%s\n", def);
+ printf("%s\n", def ? def : "");
return 0;
}
/* fall through */
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] kconfig: fix potential NULL pointer dereference in conf_askvalue
2026-02-25 7:22 [PATCH] kconfig: fix potential NULL pointer dereference in conf_askvalue Xingjing Deng
@ 2026-02-25 19:44 ` Nathan Chancellor
2026-02-26 1:25 ` Xingjing Deng
0 siblings, 1 reply; 5+ messages in thread
From: Nathan Chancellor @ 2026-02-25 19:44 UTC (permalink / raw)
To: Xingjing Deng; +Cc: nsc, rdunlap, masahiroy, linux-kbuild, linux-kernel
On Wed, Feb 25, 2026 at 07:22:46AM +0000, Xingjing Deng wrote:
> In conf_askvalue(), the 'def' argument (retrieved via sym_get_string_value)
> can be NULL. When the symbol is not changeable, the code calls
> printf("%s\n", def), which leads to a segmentation fault on certain
> systems/libc implementations when passing a NULL pointer to %s.
How do you reproduce this segmentation fault? Surely someone would have
hit this if it were a real problem given the Fixes tag? Or is this a
corner case?
> This patch adds a check to ensure 'def' is not NULL before printing.
> Additionally, it removes the redundant re-initialization of the 'line'
> buffer inside the !sym_is_changeable(sym) block, as it is already
> initialized at the beginning of the function.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Xingjing Deng <micro6947@gmail.com>
> ---
> scripts/kconfig/conf.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c
> index a7b44cd8a..2771bc84e 100644
> --- a/scripts/kconfig/conf.c
> +++ b/scripts/kconfig/conf.c
> @@ -297,9 +297,7 @@ static int conf_askvalue(struct symbol *sym, const char *def)
> line[1] = 0;
>
> if (!sym_is_changeable(sym)) {
> - printf("%s\n", def);
> - line[0] = '\n';
> - line[1] = 0;
> + printf("%s\n", def ? def : "");
> return 0;
> }
>
> @@ -307,7 +305,7 @@ static int conf_askvalue(struct symbol *sym, const char *def)
> case oldconfig:
> case syncconfig:
> if (sym_has_value(sym)) {
> - printf("%s\n", def);
> + printf("%s\n", def ? def : "");
> return 0;
> }
> /* fall through */
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kconfig: fix potential NULL pointer dereference in conf_askvalue
2026-02-25 19:44 ` Nathan Chancellor
@ 2026-02-26 1:25 ` Xingjing Deng
2026-02-26 20:35 ` Nathan Chancellor
0 siblings, 1 reply; 5+ messages in thread
From: Xingjing Deng @ 2026-02-26 1:25 UTC (permalink / raw)
To: Nathan Chancellor; +Cc: nsc, rdunlap, masahiroy, linux-kbuild, linux-kernel
Nathan Chancellor <nathan@kernel.org> 于2026年2月26日周四 03:44写道:
>
> On Wed, Feb 25, 2026 at 07:22:46AM +0000, Xingjing Deng wrote:
> > In conf_askvalue(), the 'def' argument (retrieved via sym_get_string_value)
> > can be NULL. When the symbol is not changeable, the code calls
> > printf("%s\n", def), which leads to a segmentation fault on certain
> > systems/libc implementations when passing a NULL pointer to %s.
>
> How do you reproduce this segmentation fault? Surely someone would have
> hit this if it were a real problem given the Fixes tag? Or is this a
> corner case?
I tested printing NULL with printf locally and confirmed that it does
cause issues. In my opinion, this problem is more of a corner case—I
identified it through static program analysis and have not yet
reproduced it in practice.
>
> > This patch adds a check to ensure 'def' is not NULL before printing.
> > Additionally, it removes the redundant re-initialization of the 'line'
> > buffer inside the !sym_is_changeable(sym) block, as it is already
> > initialized at the beginning of the function.
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Xingjing Deng <micro6947@gmail.com>
> > ---
> > scripts/kconfig/conf.c | 6 ++----
> > 1 file changed, 2 insertions(+), 4 deletions(-)
> >
> > diff --git a/scripts/kconfig/conf.c b/scripts/kconfig/conf.c
> > index a7b44cd8a..2771bc84e 100644
> > --- a/scripts/kconfig/conf.c
> > +++ b/scripts/kconfig/conf.c
> > @@ -297,9 +297,7 @@ static int conf_askvalue(struct symbol *sym, const char *def)
> > line[1] = 0;
> >
> > if (!sym_is_changeable(sym)) {
> > - printf("%s\n", def);
> > - line[0] = '\n';
> > - line[1] = 0;
> > + printf("%s\n", def ? def : "");
> > return 0;
> > }
> >
> > @@ -307,7 +305,7 @@ static int conf_askvalue(struct symbol *sym, const char *def)
> > case oldconfig:
> > case syncconfig:
> > if (sym_has_value(sym)) {
> > - printf("%s\n", def);
> > + printf("%s\n", def ? def : "");
> > return 0;
> > }
> > /* fall through */
> > --
> > 2.25.1
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kconfig: fix potential NULL pointer dereference in conf_askvalue
2026-02-26 1:25 ` Xingjing Deng
@ 2026-02-26 20:35 ` Nathan Chancellor
2026-03-01 5:31 ` Xingjing Deng
0 siblings, 1 reply; 5+ messages in thread
From: Nathan Chancellor @ 2026-02-26 20:35 UTC (permalink / raw)
To: Xingjing Deng; +Cc: nsc, rdunlap, masahiroy, linux-kbuild, linux-kernel
On Thu, Feb 26, 2026 at 09:25:28AM +0800, Xingjing Deng wrote:
> Nathan Chancellor <nathan@kernel.org> 于2026年2月26日周四 03:44写道:
> >
> > On Wed, Feb 25, 2026 at 07:22:46AM +0000, Xingjing Deng wrote:
> > > In conf_askvalue(), the 'def' argument (retrieved via sym_get_string_value)
> > > can be NULL. When the symbol is not changeable, the code calls
> > > printf("%s\n", def), which leads to a segmentation fault on certain
> > > systems/libc implementations when passing a NULL pointer to %s.
> >
> > How do you reproduce this segmentation fault? Surely someone would have
> > hit this if it were a real problem given the Fixes tag? Or is this a
> > corner case?
>
> I tested printing NULL with printf locally and confirmed that it does
> cause issues. In my opinion, this problem is more of a corner case—I
> identified it through static program analysis and have not yet
> reproduced it in practice.
Thanks for confirming. I think it would be better to make this clearer
in the commit message because it reads as though the problem is
reproducible in practice. Also, 'def ?: ""' would do the same thing with
fewer characters.
Cheers,
Nathan
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kconfig: fix potential NULL pointer dereference in conf_askvalue
2026-02-26 20:35 ` Nathan Chancellor
@ 2026-03-01 5:31 ` Xingjing Deng
0 siblings, 0 replies; 5+ messages in thread
From: Xingjing Deng @ 2026-03-01 5:31 UTC (permalink / raw)
To: Nathan Chancellor; +Cc: nsc, rdunlap, masahiroy, linux-kbuild, linux-kernel
Nathan Chancellor <nathan@kernel.org> 于2026年2月27日周五 04:35写道:
>
> On Thu, Feb 26, 2026 at 09:25:28AM +0800, Xingjing Deng wrote:
> > Nathan Chancellor <nathan@kernel.org> 于2026年2月26日周四 03:44写道:
> > >
> > > On Wed, Feb 25, 2026 at 07:22:46AM +0000, Xingjing Deng wrote:
> > > > In conf_askvalue(), the 'def' argument (retrieved via sym_get_string_value)
> > > > can be NULL. When the symbol is not changeable, the code calls
> > > > printf("%s\n", def), which leads to a segmentation fault on certain
> > > > systems/libc implementations when passing a NULL pointer to %s.
> > >
> > > How do you reproduce this segmentation fault? Surely someone would have
> > > hit this if it were a real problem given the Fixes tag? Or is this a
> > > corner case?
> >
> > I tested printing NULL with printf locally and confirmed that it does
> > cause issues. In my opinion, this problem is more of a corner case—I
> > identified it through static program analysis and have not yet
> > reproduced it in practice.
>
> Thanks for confirming. I think it would be better to make this clearer
> in the commit message because it reads as though the problem is
> reproducible in practice. Also, 'def ?: ""' would do the same thing with
> fewer characters.
>
> Cheers,
> Nathan
OK, I have published v2 now.
Thanks for your reply.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-01 5:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25 7:22 [PATCH] kconfig: fix potential NULL pointer dereference in conf_askvalue Xingjing Deng
2026-02-25 19:44 ` Nathan Chancellor
2026-02-26 1:25 ` Xingjing Deng
2026-02-26 20:35 ` Nathan Chancellor
2026-03-01 5:31 ` Xingjing Deng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox