tracing/probe: reject non-closed empty immediate strings

neosys007 · mhiramat · commit 4346be6577aa · 2026-04-06T09:22:42.000+09:00
parse_probe_arg() accepts quoted immediate strings and passes the body after the opening quote to __parse_imm_string(). That helper currently computes strlen(str) and immediately dereferences str[len - 1], which underflows when the body is empty and not closed with double-quotation. Reject empty non-closed immediate strings before checking for the closing quote. Link: https://lore.kernel.org/all/20260401160315.88518-1-pengpeng@iscas.ac.cn/ Fixes: a42e3c4 ("tracing/probe: Add immediate string parameter support") Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
@@ -1068,7 +1068,7 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
 {
 	size_t len = strlen(str);
 
-	if (str[len - 1] != '"') {
+	if (!len || str[len - 1] != '"') {
 		trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);
 		return -EINVAL;
 	}

Original file line number	Diff line number	Diff line change
`@@ -1068,7 +1068,7 @@ static int __parse_imm_string(char str, char *pbuf, int offs)`
`1068`	`1068`	`{`
`1069`	`1069`	`size_t len = strlen(str);`
`1070`	`1070`
`1071`		`- if (str[len - 1] != '"') {`
	`1071`	`+ if (!len \|\| str[len - 1] != '"') {`
`1072`	`1072`	`trace_probe_log_err(offs + len, IMMSTR_NO_CLOSE);`
`1073`	`1073`	`return -EINVAL;`
`1074`	`1074`	`}`