[PATCH] um: Fix null pointer dereference when parsing ubd commandline arguments
Joshua Hawking
joshuahawking1 at gmail.com
Sat Jan 2 09:03:52 EST 2021
From: Adam Watson (aw414141 at gmail.com)
When passing one or two arguments to ubd during UML setup - i.e.
ubd0=File or ubd0=File,Backing_File - the parsing code introduced in commit
ef3ba87cb7c9 ("um: ubd: Set device serial attribute from cmdline") does
not check
whether strsep consumed the entire string without finding a delimeter
last time
it was called (and so has set str to NULL, causing the next output of strsep
on that string to be NULL) before attempting to dereference the output of it
inside the if statements. For example, with two arguments (and only 1
comma/colon), serial will be NULL, and (*serial == '\0') causes a null
pointer
dereference.
Signed-off-by: Adam Watson (aw414141 at gmail.com)
Signed-off-by: Joshua Hawking (joshuahawking1 at gmail.com)
Tested-by: Joshua Hawking (joshuahawking1 at gmail.com)
Fixes: ef3ba87cb7c9 ("um: ubd: Set device serial attribute from cmdline")
---
--- b/arch/um/drivers/ubd_kern.c 2021-01-02 13:13:55.995018942 +0000
+++ a/arch/um/drivers/ubd_kern.c 2021-01-02 13:16:16.847023905 +0000
@@ -375,11 +375,11 @@ break_loop:
file = NULL;
backing_file = strsep(&str, ",:");
- if (*backing_file == '\0')
+ if (backing_file && *backing_file == '\0')
backing_file = NULL;
serial = strsep(&str, ",:");
- if (*serial == '\0')
+ if (serial && *serial == '\0')
serial = NULL;
if (backing_file && ubd_dev->no_cow) {
More information about the linux-um
mailing list