kconfig: fix possible buffer overflow

BoardzMaster · roxanan1996 · commit f73b83501451 · 2024-01-05T14:38:22.000+01:00
BugLink: https://bugs.launchpad.net/bugs/2041702 [ Upstream commit a3b7039 ] Buffer 'new_argv' is accessed without bound check after accessing with bound check via 'new_argc' index. Fixes: e298f3b ("kconfig: add built-in function support") Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c
@@ -396,6 +396,9 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[])
 
 		p++;
 	}
+
+	if (new_argc >= FUNCTION_MAX_ARGS)
+		pperror("too many function arguments");
 	new_argv[new_argc++] = prev;
 
 	/*

Original file line number	Diff line number	Diff line change
`@@ -396,6 +396,9 @@ static char eval_clause(const char str, size_t len, int argc, char *argv[])`
`396`	`396`
`397`	`397`	`p++;`
`398`	`398`	`}`
	`399`	`+`
	`400`	`+ if (new_argc >= FUNCTION_MAX_ARGS)`
	`401`	`+ pperror("too many function arguments");`
`399`	`402`	`new_argv[new_argc++] = prev;`
`400`	`403`
`401`	`404`	`/*`