lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <33059074b78110d4717efe09b887dd28ac77fe7f.camel@pengutronix.de>
Date:   Thu, 22 Sep 2022 18:01:40 +0200
From:   Johannes Zink <j.zink@...gutronix.de>
To:     masahiroy@...nel.org, linux-kbuild@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     kernel@...gutronix.de
Subject: PROBLEM: Segfault in kconfig

Hi everyone, 

[1.] One line summary of the problem: 
     kconfig crashes with segfault under rare circumstances
[2.] Full description of the problem/report:
     Under certain circumstances jump keys are displayed on the search 
     results even if a symbol is deactivated by one of its 
     dependencies. Using the jump keys then triggers a segmentation 
     fault due to a NULL dereference. Perform the following steps to 
     trigger the issue
     
     1.: ARCH=arm64 make defconfig
     2.: ARCH=arm64 make menuconfig

     3.: press '/' key to search for the string "EFI". Use jump key 
         (1) to jump to search result. Press 'n' key to deactivate the 
         entry. 
     4.: press '/' to seach for the string "ACPI". Use the jump key 
         (1) to jump to the search result. 

     Menuconfig then crashes with a segfault.
    
[3.] Keywords (i.e., modules, networking, kernel):
     kconfig, mconf
[4.] Kernel information
[4.1.] Kernel version (from /proc/version):
       v6.0.0-rc6
[4.2.] Kernel .config file: 
       arm64 default defconfig
[5.] Most recent kernel version which did not have the bug: 
     v5.15
[6.] Output of Oops.. message (if applicable) with symbolic information
     resolved (see Documentation/admin-guide/bug-hunting.rst): 
     not applicable
[7.] A small shell script or example program which triggers the
     problem (if possible):
     not applicable, please see description in [2.]
[8.] Environment
[8.1.] Software (add the output of the ver_linux script here): 
       not applicable
[8.2.] Processor information (from /proc/cpuinfo):
       not applicable
[8.3.] Module information (from /proc/modules):
       not applicable
[8.4.] Loaded driver and hardware information (/proc/ioports,
/proc/iomem):
       not applicable
[8.5.] PCI information ('lspci -vvv' as root):
       not applicable
[8.6.] SCSI information (from /proc/scsi/scsi):
       not applicable
[8.7.] Other information that might be relevant to the problem
       (please look in /proc and include all information that you
       think to be relevant):
       not applicable
[X.] Other notes, patches, fixes, workarounds:
    
     I found that the attached patch is a very hacky workaround to 
     keep menuconfig from crashing, but I am pretty sure the jump 
     keys should not have be activated for unaccessable entries in the
     first place. I found it quite hard to find the corresponding part
     in mconf, which is why I decided to send this bugreport instead 
     of sending a patch. Maybe someone on this list either knows mconf 
     really well and can just fix it, or guide me to where I can dig 
     around (though in that case I could really use some help on how 
     to debug menuconfig, since I found it challenging to get it 
     working with gdb)
     
Best regards
Johannes

---
scripts/kconfig/mconf.c | 3 ++-                                       
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c        
index 9d3cf510562f..60a82f701bd3 100644                               
--- a/scripts/kconfig/mconf.c                                         
+++ b/scripts/kconfig/mconf.c                                         
@@ -447,7 +447,8 @@ static void search_conf(void)                     
                again = false;
                for (i = 0; i < JUMP_NB && keys[i]; i++)
                        if (dres == keys[i]) {
-                               conf(targets[i]->parent, targets[i]); 
+                               if (targets[i]->parent)               
+                                       conf(targets[i]->parent,
targets[i]);
                                again = true;
                        }
                str_free(&res);

-- 
Pengutronix e.K.                | Johannes Zink                  |
Steuerwalder Str. 21            | https://www.pengutronix.de/    |
31137 Hildesheim, Germany       | Phone: +49-5121-206917-0       |
Amtsgericht Hildesheim, HRA 2686| Fax:   +49-5121-206917-5555    |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ