PROBLEM: Segfault in kconfig

From: Johannes Zink
Date: Thu Sep 22 2022 - 12:01:50 EST


Hi everyone,

[1.] One line summary of the problem:
kconfig crashes with segfault under rare circumstances
[2.] Full description of the problem/report:
Under certain circumstances jump keys are displayed on the search 
results even if a symbol is deactivated by one of its 
dependencies. Using the jump keys then triggers a segmentation
fault due to a NULL dereference. Perform the following steps to 
trigger the issue

1.: ARCH=arm64 make defconfig
2.: ARCH=arm64 make menuconfig

3.: press '/' key to search for the string "EFI". Use jump key 
(1) to jump to search result. Press 'n' key to deactivate the 
entry. 
4.: press '/' to seach for the string "ACPI". Use the jump key 
(1) to jump to the search result. 

Menuconfig then crashes with a segfault.

[3.] Keywords (i.e., modules, networking, kernel):
kconfig, mconf
[4.] Kernel information
[4.1.] Kernel version (from /proc/version):
v6.0.0-rc6
[4.2.] Kernel .config file:
arm64 default defconfig
[5.] Most recent kernel version which did not have the bug:
v5.15
[6.] Output of Oops.. message (if applicable) with symbolic information
resolved (see Documentation/admin-guide/bug-hunting.rst):
not applicable
[7.] A small shell script or example program which triggers the
problem (if possible):
not applicable, please see description in [2.]
[8.] Environment
[8.1.] Software (add the output of the ver_linux script here):
not applicable
[8.2.] Processor information (from /proc/cpuinfo):
not applicable
[8.3.] Module information (from /proc/modules):
not applicable
[8.4.] Loaded driver and hardware information (/proc/ioports,
/proc/iomem):
not applicable
[8.5.] PCI information ('lspci -vvv' as root):
not applicable
[8.6.] SCSI information (from /proc/scsi/scsi):
not applicable
[8.7.] Other information that might be relevant to the problem
(please look in /proc and include all information that you
think to be relevant):
not applicable
[X.] Other notes, patches, fixes, workarounds:

I found that the attached patch is a very hacky workaround to 
keep menuconfig from crashing, but I am pretty sure the jump 
keys should not have be activated for unaccessable entries in the
first place. I found it quite hard to find the corresponding part
in mconf, which is why I decided to send this bugreport instead 
of sending a patch. Maybe someone on this list either knows mconf 
really well and can just fix it, or guide me to where I can dig 
around (though in that case I could really use some help on how 
to debug menuconfig, since I found it challenging to get it 
working with gdb)

Best regards
Johannes

---
scripts/kconfig/mconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c
index 9d3cf510562f..60a82f701bd3 100644
--- a/scripts/kconfig/mconf.c
+++ b/scripts/kconfig/mconf.c
@@ -447,7 +447,8 @@ static void search_conf(void)
again = false;
for (i = 0; i < JUMP_NB && keys[i]; i++)
if (dres == keys[i]) {
- conf(targets[i]->parent, targets[i]);
+ if (targets[i]->parent)
+ conf(targets[i]->parent,
targets[i]);
again = true;
}
str_free(&res);

--
Pengutronix e.K. | Johannes Zink |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686| Fax: +49-5121-206917-5555 |