Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var (32f26da4) · Commits · e / devices / android_kernel_fairphone_FP4

[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ] There is an out-of-bounds access to "config[len - 1]" array when the variable "len" is zero. See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()") for details. Signed-off-by:

Young Xiao <YangX92@hotmail.com> Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:

Sasha Levin <sashal@kernel.org>

drivers/misc/kgdbts.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1139,7 +1139,7 @@ static void kgdbts_put_char(u8 chr)
		static int param_set_kgdbts_var(const char *kmessage,
		const struct kernel_param *kp)
		{
		int len = strlen(kmessage);
		size_t len = strlen(kmessage);

		if (len >= MAX_CONFIG_LEN) {
		printk(KERN_ERR "kgdbts: config string too long\n");
		@@ -1159,7 +1159,7 @@ static int param_set_kgdbts_var(const char *kmessage,

		strcpy(config, kmessage);
		/* Chop out \n char as a result of echo */
		if (config[len - 1] == '\n')
		if (len && config[len - 1] == '\n')
		config[len - 1] = '\0';

		/* Go and configure with the new params. */