[PATCH] tomoyo: reject short exec.envp[] names before suffix checks

Next message: Andy Shevchenko: "Re: [PATCH] gpio: drop bitmap_complement() where feasible"
Previous message: Pengpeng Hou: "[PATCH] bpf: crypto: reject unterminated type and algorithm names"
Next in thread: Tetsuo Handa: "Re: [PATCH] tomoyo: reject short exec.envp[] names before suffix checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Fri Apr 17 2026 - 03:33:30 EST

tomoyo_parse_envp() assumes that the left-hand side still ends with the
closing '"' and ']' from an exec.envp["..."] condition and immediately
backs up from strlen(left) - 1 to verify that suffix.

If policy input leaves an empty or one-byte string here, the parser
reads before the start of the token while checking for the suffix.

Reject left-hand strings that are too short to contain the required '"]'
terminator before dereferencing the trailing characters.

Fixes: 5b636857fee6 ("TOMOYO: Allow using argv[]/envp[] of execve() as conditions.")
Cc: stable@xxxxxxxxxxxxxxx

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
security/tomoyo/condition.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/security/tomoyo/condition.c b/security/tomoyo/condition.c
index f8bcc083bb0d..1fa8343df4b3 100644
--- a/security/tomoyo/condition.c
+++ b/security/tomoyo/condition.c
@@ -320,7 +320,13 @@ static bool tomoyo_parse_envp(char *left, char *right,
{
const struct tomoyo_path_info *name;
const struct tomoyo_path_info *value;
- char *cp = left + strlen(left) - 1;
+ size_t len = strlen(left);
+ char *cp;
+
+ if (len < 2)
+ goto out;
+
+ cp = left + len - 1;

if (*cp-- != ']' || *cp != '"')
goto out;
--
2.50.1 (Apple Git-155)