[PATCH] kconfig: fix segmentation fault in menuconfig search

[PATCH] kconfig: fix segmentation fault in menuconfig search

[Masahiro Yamada]

Since commit d05377e184fc ("kconfig: Create links to main menu items
in search"), menuconfig shows a jump key next to "Main menu" if the
nearest visible parent is the rootmenu. If you press that jump key,
menuconfig crashes with a segmentation fault.

For example, do this:

  $ make ARCH=arm64 allnoconfig menuconfig

Press '/' to search for the string "ACPI". Press '1' to choose
"(1) Main menu". Then, menuconfig crashed with a segmentation fault.

The following code in search_conf()

    conf(targets[i]->parent, targets[i]);

results in NULL pointer dereference because targets[i] is the rootmenu,
which does not have a parent.

Commit d05377e184fc tried to fix the issue of top-level items not having
a jump key, but adding the "Main menu" was not the right fix.

The correct fix is to show the searched item itself. This fixes another
weird behavior described in the comment block.

Fixes: d05377e184fc ("kconfig: Create links to main menu items in search")
Reported-by: Johannes Zink <j.zink@pengutronix.de>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---

 scripts/kconfig/menu.c | 23 ++++-------------------
 1 file changed, 4 insertions(+), 19 deletions(-)

diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c
index 62b6313f51c8..109325f31bef 100644
--- a/scripts/kconfig/menu.c
+++ b/scripts/kconfig/menu.c
@@ -722,8 +722,8 @@ static void get_prompt_str(struct gstr *r, struct property *prop,
 	if (!expr_eq(prop->menu->dep, prop->visible.expr))
 		get_dep_str(r, prop->visible.expr, "  Visible if: ");
 
-	menu = prop->menu->parent;
-	for (i = 0; menu && i < 8; menu = menu->parent) {
+	menu = prop->menu;
+	for (i = 0; menu != &rootmenu && i < 8; menu = menu->parent) {
 		bool accessible = menu_is_visible(menu);
 
 		submenu[i++] = menu;
@@ -733,16 +733,7 @@ static void get_prompt_str(struct gstr *r, struct property *prop,
 	if (head && location) {
 		jump = xmalloc(sizeof(struct jump_key));
 
-		if (menu_is_visible(prop->menu)) {
-			/*
-			 * There is not enough room to put the hint at the
-			 * beginning of the "Prompt" line. Put the hint on the
-			 * last "Location" line even when it would belong on
-			 * the former.
-			 */
-			jump->target = prop->menu;
-		} else
-			jump->target = location;
+		jump->target = location;
 
 		if (list_empty(head))
 			jump->index = 0;
@@ -758,13 +749,7 @@ static void get_prompt_str(struct gstr *r, struct property *prop,
 		menu = submenu[i];
 		if (jump && menu == location)
 			jump->offset = strlen(r->s);
-
-		if (menu == &rootmenu)
-			/* The real rootmenu prompt is ugly */
-			str_printf(r, "%*cMain menu", j, ' ');
-		else
-			str_printf(r, "%*c-> %s", j, ' ', menu_get_prompt(menu));
-
+		str_printf(r, "%*c-> %s", j, ' ', menu_get_prompt(menu));
 		if (menu->sym) {
 			str_printf(r, " (%s [=%s])", menu->sym->name ?
 				menu->sym->name : "<choice>",
-- 
2.34.1

Re: [PATCH] kconfig: fix segmentation fault in menuconfig search

[Bagas Sanjaya]

[-- Attachment #1: Type: text/plain, Size: 1673 bytes --]

On Mon, Oct 24, 2022 at 04:10:55AM +0900, Masahiro Yamada wrote:
> Since commit d05377e184fc ("kconfig: Create links to main menu items
> in search"), menuconfig shows a jump key next to "Main menu" if the
> nearest visible parent is the rootmenu. If you press that jump key,
> menuconfig crashes with a segmentation fault.
> 
> For example, do this:
> 
>   $ make ARCH=arm64 allnoconfig menuconfig
> 
> Press '/' to search for the string "ACPI". Press '1' to choose
> "(1) Main menu". Then, menuconfig crashed with a segmentation fault.

You missed the prerequisites: search EFI and press 1 to jump to
CONFIG_EFI.

> 
> The following code in search_conf()
> 
>     conf(targets[i]->parent, targets[i]);
> 
> results in NULL pointer dereference because targets[i] is the rootmenu,
> which does not have a parent.
> 
> Commit d05377e184fc tried to fix the issue of top-level items not having
> a jump key, but adding the "Main menu" was not the right fix.
> 
> The correct fix is to show the searched item itself. This fixes another
> weird behavior described in the comment block.
> 
> Fixes: d05377e184fc ("kconfig: Create links to main menu items in search")
> Reported-by: Johannes Zink <j.zink@pengutronix.de>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> Link: https://lore.kernel.org/r/20221023191055.85098-1-masahiroy@kernel.org

Missing Cc: stable? The segfault (IMO) appears after v5.15, so all
supported stable branches are affected.

Anyway, the segfault gone away with this patch applied. Thanks.

Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH] kconfig: fix segmentation fault in menuconfig search

[Masahiro Yamada]

On Mon, Oct 24, 2022 at 12:04 PM Bagas Sanjaya <bagasdotme@gmail.com> wrote:
>
> On Mon, Oct 24, 2022 at 04:10:55AM +0900, Masahiro Yamada wrote:
> > Since commit d05377e184fc ("kconfig: Create links to main menu items
> > in search"), menuconfig shows a jump key next to "Main menu" if the
> > nearest visible parent is the rootmenu. If you press that jump key,
> > menuconfig crashes with a segmentation fault.
> >
> > For example, do this:
> >
> >   $ make ARCH=arm64 allnoconfig menuconfig
> >
> > Press '/' to search for the string "ACPI". Press '1' to choose
> > "(1) Main menu". Then, menuconfig crashed with a segmentation fault.
>
> You missed the prerequisites: search EFI and press 1 to jump to
> CONFIG_EFI.


Try the command in my commit description.

"allnoconfig" disables EFI.





> >
> > The following code in search_conf()
> >
> >     conf(targets[i]->parent, targets[i]);
> >
> > results in NULL pointer dereference because targets[i] is the rootmenu,
> > which does not have a parent.
> >
> > Commit d05377e184fc tried to fix the issue of top-level items not having
> > a jump key, but adding the "Main menu" was not the right fix.
> >
> > The correct fix is to show the searched item itself. This fixes another
> > weird behavior described in the comment block.
> >
> > Fixes: d05377e184fc ("kconfig: Create links to main menu items in search")
> > Reported-by: Johannes Zink <j.zink@pengutronix.de>
> > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> > Link: https://lore.kernel.org/r/20221023191055.85098-1-masahiroy@kernel.org
>
> Missing Cc: stable? The segfault (IMO) appears after v5.15, so all
> supported stable branches are affected.



In my understanding, Fixes: is enough to automatically find which stable kernels
to which the patch should be back-ported.



>
> Anyway, the segfault gone away with this patch applied. Thanks.
>
> Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
>
> --
> An old man doll... just what I always wanted! - Clara



-- 
Best Regards
Masahiro Yamada

Re: [PATCH] kconfig: fix segmentation fault in menuconfig search

[Bagas Sanjaya]

On 10/24/22 11:53, Masahiro Yamada wrote:
>>
>> You missed the prerequisites: search EFI and press 1 to jump to
>> CONFIG_EFI.
> 
> 
> Try the command in my commit description.
> 
> "allnoconfig" disables EFI.
> 

I can also reproduce the segfault by allyesconfig then disable
CONFIG_EFI.

-- 
An old man doll... just what I always wanted! - Clara

Re: [PATCH] kconfig: fix segmentation fault in menuconfig search

[Johannes Zink]

Hi Masahiro,

On Mon, 2022-10-24 at 04:10 +0900, Masahiro Yamada wrote:
> Since commit d05377e184fc ("kconfig: Create links to main menu items
> in search"), menuconfig shows a jump key next to "Main menu" if the
> nearest visible parent is the rootmenu. If you press that jump key,
> menuconfig crashes with a segmentation fault.
> 
> For example, do this:
> 
>   $ make ARCH=arm64 allnoconfig menuconfig
> 
> Press '/' to search for the string "ACPI". Press '1' to choose
> "(1) Main menu". Then, menuconfig crashed with a segmentation fault.
> 
> The following code in search_conf()
> 
>     conf(targets[i]->parent, targets[i]);
> 
> results in NULL pointer dereference because targets[i] is the
> rootmenu,
> which does not have a parent.
> 
> Commit d05377e184fc tried to fix the issue of top-level items not
> having
> a jump key, but adding the "Main menu" was not the right fix.
> 
> The correct fix is to show the searched item itself. This fixes
> another
> weird behavior described in the comment block.
> 
> Fixes: d05377e184fc ("kconfig: Create links to main menu items in
> search")
> Reported-by: Johannes Zink <j.zink@pengutronix.de>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>

Sorry for the delay, I eventually found time to test your patch, and it
fixes the issue I reported. Thank you for helping out, feel free to add
my

Tested-by: Johannes Zink <j.zink@pengutronix.de>

> ---
> 
>  scripts/kconfig/menu.c | 23 ++++-------------------
>  1 file changed, 4 insertions(+), 19 deletions(-)
> 
> diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c
> index 62b6313f51c8..109325f31bef 100644
> --- a/scripts/kconfig/menu.c
> +++ b/scripts/kconfig/menu.c
> @@ -722,8 +722,8 @@ static void get_prompt_str(struct gstr *r, struct
> property *prop,
>         if (!expr_eq(prop->menu->dep, prop->visible.expr))
>                 get_dep_str(r, prop->visible.expr, "  Visible if: ");
>  
> -       menu = prop->menu->parent;
> -       for (i = 0; menu && i < 8; menu = menu->parent) {
> +       menu = prop->menu;
> +       for (i = 0; menu != &rootmenu && i < 8; menu = menu->parent)
> {
>                 bool accessible = menu_is_visible(menu);
>  
>                 submenu[i++] = menu;
> @@ -733,16 +733,7 @@ static void get_prompt_str(struct gstr *r,
> struct property *prop,
>         if (head && location) {
>                 jump = xmalloc(sizeof(struct jump_key));
>  
> -               if (menu_is_visible(prop->menu)) {
> -                       /*
> -                        * There is not enough room to put the hint
> at the
> -                        * beginning of the "Prompt" line. Put the
> hint on the
> -                        * last "Location" line even when it would
> belong on
> -                        * the former.
> -                        */
> -                       jump->target = prop->menu;
> -               } else
> -                       jump->target = location;
> +               jump->target = location;
>  
>                 if (list_empty(head))
>                         jump->index = 0;
> @@ -758,13 +749,7 @@ static void get_prompt_str(struct gstr *r,
> struct property *prop,
>                 menu = submenu[i];
>                 if (jump && menu == location)
>                         jump->offset = strlen(r->s);
> -
> -               if (menu == &rootmenu)
> -                       /* The real rootmenu prompt is ugly */
> -                       str_printf(r, "%*cMain menu", j, ' ');
> -               else
> -                       str_printf(r, "%*c-> %s", j, ' ',
> menu_get_prompt(menu));
> -
> +               str_printf(r, "%*c-> %s", j, ' ',
> menu_get_prompt(menu));
>                 if (menu->sym) {
>                         str_printf(r, " (%s [=%s])", menu->sym->name
> ?
>                                 menu->sym->name : "<choice>",

-- 
Pengutronix e.K.                | Johannes Zink                  |
Steuerwalder Str. 21            | https://www.pengutronix.de/    |
31137 Hildesheim, Germany       | Phone: +49-5121-206917-0       |
Amtsgericht Hildesheim, HRA 2686| Fax:   +49-5121-206917-5555    |

Re: [PATCH] kconfig: fix segmentation fault in menuconfig search

[Masahiro Yamada]

On Tue, Nov 1, 2022 at 2:31 AM Johannes Zink <j.zink@pengutronix.de> wrote:
>
> Hi Masahiro,
>
> On Mon, 2022-10-24 at 04:10 +0900, Masahiro Yamada wrote:
> > Since commit d05377e184fc ("kconfig: Create links to main menu items
> > in search"), menuconfig shows a jump key next to "Main menu" if the
> > nearest visible parent is the rootmenu. If you press that jump key,
> > menuconfig crashes with a segmentation fault.
> >
> > For example, do this:
> >
> >   $ make ARCH=arm64 allnoconfig menuconfig
> >
> > Press '/' to search for the string "ACPI". Press '1' to choose
> > "(1) Main menu". Then, menuconfig crashed with a segmentation fault.
> >
> > The following code in search_conf()
> >
> >     conf(targets[i]->parent, targets[i]);
> >
> > results in NULL pointer dereference because targets[i] is the
> > rootmenu,
> > which does not have a parent.
> >
> > Commit d05377e184fc tried to fix the issue of top-level items not
> > having
> > a jump key, but adding the "Main menu" was not the right fix.
> >
> > The correct fix is to show the searched item itself. This fixes
> > another
> > weird behavior described in the comment block.
> >
> > Fixes: d05377e184fc ("kconfig: Create links to main menu items in
> > search")
> > Reported-by: Johannes Zink <j.zink@pengutronix.de>
> > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
>
> Sorry for the delay, I eventually found time to test your patch, and it
> fixes the issue I reported. Thank you for helping out, feel free to add
> my
>
> Tested-by: Johannes Zink <j.zink@pengutronix.de>


Applied to linux-kbuild/fixes.



> > ---
> >
> >  scripts/kconfig/menu.c | 23 ++++-------------------
> >  1 file changed, 4 insertions(+), 19 deletions(-)
> >
> > diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c
> > index 62b6313f51c8..109325f31bef 100644
> > --- a/scripts/kconfig/menu.c
> > +++ b/scripts/kconfig/menu.c
> > @@ -722,8 +722,8 @@ static void get_prompt_str(struct gstr *r, struct
> > property *prop,
> >         if (!expr_eq(prop->menu->dep, prop->visible.expr))
> >                 get_dep_str(r, prop->visible.expr, "  Visible if: ");
> >
> > -       menu = prop->menu->parent;
> > -       for (i = 0; menu && i < 8; menu = menu->parent) {
> > +       menu = prop->menu;
> > +       for (i = 0; menu != &rootmenu && i < 8; menu = menu->parent)
> > {
> >                 bool accessible = menu_is_visible(menu);
> >
> >                 submenu[i++] = menu;
> > @@ -733,16 +733,7 @@ static void get_prompt_str(struct gstr *r,
> > struct property *prop,
> >         if (head && location) {
> >                 jump = xmalloc(sizeof(struct jump_key));
> >
> > -               if (menu_is_visible(prop->menu)) {
> > -                       /*
> > -                        * There is not enough room to put the hint
> > at the
> > -                        * beginning of the "Prompt" line. Put the
> > hint on the
> > -                        * last "Location" line even when it would
> > belong on
> > -                        * the former.
> > -                        */
> > -                       jump->target = prop->menu;
> > -               } else
> > -                       jump->target = location;
> > +               jump->target = location;
> >
> >                 if (list_empty(head))
> >                         jump->index = 0;
> > @@ -758,13 +749,7 @@ static void get_prompt_str(struct gstr *r,
> > struct property *prop,
> >                 menu = submenu[i];
> >                 if (jump && menu == location)
> >                         jump->offset = strlen(r->s);
> > -
> > -               if (menu == &rootmenu)
> > -                       /* The real rootmenu prompt is ugly */
> > -                       str_printf(r, "%*cMain menu", j, ' ');
> > -               else
> > -                       str_printf(r, "%*c-> %s", j, ' ',
> > menu_get_prompt(menu));
> > -
> > +               str_printf(r, "%*c-> %s", j, ' ',
> > menu_get_prompt(menu));
> >                 if (menu->sym) {
> >                         str_printf(r, " (%s [=%s])", menu->sym->name
> > ?
> >                                 menu->sym->name : "<choice>",
>
> --
> Pengutronix e.K.                | Johannes Zink                  |
> Steuerwalder Str. 21            | https://www.pengutronix.de/    |
> 31137 Hildesheim, Germany       | Phone: +49-5121-206917-0       |
> Amtsgericht Hildesheim, HRA 2686| Fax:   +49-5121-206917-5555    |
>


-- 
Best Regards
Masahiro Yamada