Re: [PATCH v5 01/22] bootconfig: Add Extra Boot Config support

Steven Rostedt <rostedt@xxxxxxxxxxx> · Tue, 7 Jan 2020 22:03:49 -0500

On Tue, 7 Jan 2020 20:59:45 -0500
Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:

> 
> > +
> > +/*
> > + * Return delimiter or error, no node added. As same as lib/cmdline.c,
> > + * you can use " around spaces, but can't escape " for value.
> > + */
> > +static int __init __xbc_parse_value(char **__v, char **__n)
> > +{
> > +	char *p, *v = *__v;
> > +	int c, quotes = 0;
> > +
> > +	v = skip_spaces(v);
> > +	while (*v == '#') {
> > +		v = skip_comment(v);
> > +		v = skip_spaces(v);
> > +	}
> > +	if (*v == '"' || *v == '\'') {
> > +		quotes = *v;
> > +		v++;
> > +	}
> > +	p = v - 1;
> > +	while ((c = *++p)) {
> > +		if (!isprint(c) && !isspace(c))
> > +			return xbc_parse_error("Non printable value", p);
> > +		if (quotes) {
> > +			if (c != quotes)
> > +				continue;
> > +			quotes = 0;
> > +			*p++ = '\0';
> > +			p = skip_spaces(p);  
> 
> Hmm, if p here == "    \0" then skip_spaces() will make p == "\0"
> 
> > +			c = *p;
> > +			if (c && !strchr(",;\n#}", c))
> > +				return xbc_parse_error("No value delimiter", p);
> > +			p++;  
> 
> Now p == one passed "\0" which is in unknown territory.

I like how you have patch 3 use this code. It makes it easy to test,
and valgrind pointed out that this is a bug. With a file that just
contained:

   foo = "1"

I ran this:

  $ valgrind -v --leak-check=full ./tools/bootconfig/bootconfig -a /tmp/boot-bad /tmp/initrd  2>/tmp/out

Which gave me this:

==18929== Invalid read of size 1
==18929==    at 0x483FC02: strpbrk (vg_replace_strmem.c:1690)
==18929==    by 0x40263C: xbc_init (bootconfig.c:724)
==18929==    by 0x403162: apply_xbc (main.c:255)
==18929==    by 0x403346: main (main.c:331)
==18929==  Address 0x4a4e09f is 0 bytes after a block of size 15 alloc'd
==18929==    at 0x483780B: malloc (vg_replace_malloc.c:309)
==18929==    by 0x402B9D: load_xbc_fd (main.c:95)
==18929==    by 0x402C87: load_xbc_file (main.c:120)
==18929==    by 0x4030AC: apply_xbc (main.c:238)
==18929==    by 0x403346: main (main.c:331)

Which proves this the issue as when I apply the patch below, this goes
away:

-- Steve

diff --git a/lib/bootconfig.c b/lib/bootconfig.c
index 7a7cdc45bf62..0793ef9f48b8 100644
--- a/lib/bootconfig.c
+++ b/lib/bootconfig.c
@@ -468,7 +468,8 @@ static int __init __xbc_parse_value(char **__v, char **__n)
 			c = *p;
 			if (c && !strchr(",;\n#}", c))
 				return xbc_parse_error("No value delimiter", p);
-			p++;
+			if (*p)
+				p++;
 			break;
 		}
 		if (strchr(",;\n#}", c)) {






