| Message ID | 20250212154537.235297-1-ant.v.moryakov@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | scripts: kconfig: Fix potential NULL pointer dereference in | expand |
On Thu, Feb 13, 2025 at 12:45 AM Anton Moryakov <ant.v.moryakov@gmail.com> wrote: > > The function `prop_get_symbol` may return NULL, which was not checked > before dereferencing the pointer in `menu_finalize`. This could lead > to undefined behavior or crashes. Please attach a simple test case that leads to a crash. > > This commit adds a NULL check before accessing `es->rev_dep.expr` and > `es->implied.expr`. If `es` is NULL, a warning is logged, and the > operation is skipped. > > Triggers found by static analyzer Svace. In my understanding, P_SELECT always has a non-NULL ->expr if you look at the code in scripts/kconfig/parser.y menu_add_symbol(P_SELECT, $2, $3); $2 is the selected symbol, and passed to expr_alloc_symbol() > Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> > > --- > scripts/kconfig/menu.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c > index 0fe7f3255a..3fb3ab4637 100644 > --- a/scripts/kconfig/menu.c > +++ b/scripts/kconfig/menu.c > @@ -400,12 +400,18 @@ void menu_finalize(struct menu *parent) > */ > if (prop->type == P_SELECT) { > struct symbol *es = prop_get_symbol(prop); > - es->rev_dep.expr = expr_alloc_or(es->rev_dep.expr, > - expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); > + if (es) { > + es->rev_dep.expr = expr_alloc_or(es->rev_dep.expr, > + expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); > + } else > + menu_warn(menu, "select property has no symbol"); > } else if (prop->type == P_IMPLY) { > struct symbol *es = prop_get_symbol(prop); > - es->implied.expr = expr_alloc_or(es->implied.expr, > - expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); > + if (es) { > + es->implied.expr = expr_alloc_or(es->implied.expr, > + expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); > + } else > + menu_warn(menu, "imply property has no symbol"); > } > } > } > -- > 2.30.2 > >
diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c index 0fe7f3255a..3fb3ab4637 100644 --- a/scripts/kconfig/menu.c +++ b/scripts/kconfig/menu.c @@ -400,12 +400,18 @@ void menu_finalize(struct menu *parent) */ if (prop->type == P_SELECT) { struct symbol *es = prop_get_symbol(prop); - es->rev_dep.expr = expr_alloc_or(es->rev_dep.expr, - expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); + if (es) { + es->rev_dep.expr = expr_alloc_or(es->rev_dep.expr, + expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); + } else + menu_warn(menu, "select property has no symbol"); } else if (prop->type == P_IMPLY) { struct symbol *es = prop_get_symbol(prop); - es->implied.expr = expr_alloc_or(es->implied.expr, - expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); + if (es) { + es->implied.expr = expr_alloc_or(es->implied.expr, + expr_alloc_and(expr_alloc_symbol(menu->sym), expr_copy(dep))); + } else + menu_warn(menu, "imply property has no symbol"); } } }
The function `prop_get_symbol` may return NULL, which was not checked before dereferencing the pointer in `menu_finalize`. This could lead to undefined behavior or crashes. This commit adds a NULL check before accessing `es->rev_dep.expr` and `es->implied.expr`. If `es` is NULL, a warning is logged, and the operation is skipped. Triggers found by static analyzer Svace. Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> --- scripts/kconfig/menu.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)