Received: by 2002:a05:7412:f584:b0:e2:908c:2ebd with SMTP id eh4csp2023222rdb; Tue, 5 Sep 2023 11:53:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHD/Y3B4nReLrO91fIvDZhJIB0nBVks1Pcv3ccjq8ZpbCeyJwZeWmHs2d1v27DkjgkSdpyf X-Received: by 2002:a17:90b:3b90:b0:268:3ea0:7160 with SMTP id pc16-20020a17090b3b9000b002683ea07160mr12940507pjb.0.1693940037516; Tue, 05 Sep 2023 11:53:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693940037; cv=none; d=google.com; s=arc-20160816; b=OpRHBMKdJ9o42u1X0OhR5Cw0tGpehm0O5qv7bZXhyaz9Sls4t7fI7wYHQuKpPKFpIO y87W5mNyORSZGneCFMKiMlms1ZjCpoyEnPYDFqd3InrlztedI16NNMLKAdklleWDQSVA otdQzx7WgV/GWErk7aWzB2gfz1jxJNl/2f2rIXS1Q0J8qfZP1Wux3OsbU5oSlee9A7Rl 6ykCC7/jRrzrEBGfvj94t+yJIV6bDjt1ms7MUZcAoLbXD6bLHdaR/gYEyebEsP5C2hAE auCOwS+uUDnY2+d/irHhZr4nOM3szMEe4CKPv5PjUv18ane9Thcg5ieayXBb+uNyyOlJ IXCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=N1PUEeze9QiFhzEkgSzVfpJgwYUEEYcZyd9Eu8qXt/g=; fh=DMgueEYE5KCF1/xkho6NXbb/zxFnx+k34Z0HoYcPSRw=; b=gBwz7OBKqp0fv1s8CuKGus0+rcDghBKzgjoM7L96BYQBvyAengyczzRG9zzOuxR7DP PWm6t8dB0QT4Lh6yUhlpTj6aVldvRVBpZEduET1tjEMkamxCKxbnPD9LHyoUOToA6Wu0 sg3H1bLWZxAufZZ8/W1dKZf9KG0H94QmXoKglO6ZIbc0n6hBYz03Nwpam9mTmnwhIb0J YILi/NZhNfU2EnG03tB599amJ06OwhghQGS/NFnzDCcw2kdSbkrhEm9DT4qKYRRZXPj6 PP/pOXrHma2tBW9zJgej8oQXY0LSs1EMLwlwzN9THbMrXBWCp5N+410jfKaCDMwWKvv/ 3Zhg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u10-20020a17090ae00a00b00261326aa56esi9914388pjy.5.2023.09.05.11.53.43; Tue, 05 Sep 2023 11:53:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351201AbjIERFQ (ORCPT + 99 others); Tue, 5 Sep 2023 13:05:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59976 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354162AbjIEJ71 (ORCPT ); Tue, 5 Sep 2023 05:59:27 -0400 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CBC8118C; Tue, 5 Sep 2023 02:59:23 -0700 (PDT) Received: from lhrpeml500004.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Rg1CY4m95z6D8dW; Tue, 5 Sep 2023 17:58:01 +0800 (CST) Received: from mscphis00759.huawei.com (10.123.66.134) by lhrpeml500004.china.huawei.com (7.191.163.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Tue, 5 Sep 2023 10:59:20 +0100 From: Konstantin Meskhidze To: CC: , , , Subject: [PATCH] kconfig: fix possible buffer overflow Date: Tue, 5 Sep 2023 17:59:14 +0800 Message-ID: <20230905095914.1699335-1-konstantin.meskhidze@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.123.66.134] X-ClientProxiedBy: mscpeml100002.china.huawei.com (7.188.26.75) To lhrpeml500004.china.huawei.com (7.191.163.9) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Buffer 'new_argv' is accessed without bound check after accessing with bound check via 'new_argc' index. Fixes: e298f3b49def ("kconfig: add built-in function support") Co-developed-by: Ivanov Mikhail Signed-off-by: Konstantin Meskhidze --- scripts/kconfig/preprocess.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c index 748da578b418..d1f5bcff4b62 100644 --- a/scripts/kconfig/preprocess.c +++ b/scripts/kconfig/preprocess.c @@ -387,24 +387,27 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[]) if (new_argc >= FUNCTION_MAX_ARGS) pperror("too many function arguments"); new_argv[new_argc++] = prev; prev = p + 1; } else if (*p == '(') { nest++; } else if (*p == ')') { nest--; } p++; } + + if (new_argc >= FUNCTION_MAX_ARGS) + pperror("too many function arguments"); new_argv[new_argc++] = prev; /* * Shift arguments * new_argv[0] represents a function name or a variable name. Put it * into 'name', then shift the rest of the arguments. This simplifies * 'const' handling. */ name = expand_string_with_args(new_argv[0], argc, argv); new_argc--; for (i = 0; i < new_argc; i++) new_argv[i] = expand_string_with_args(new_argv[i + 1], -- 2.34.1