Re: [PATCH] sched/isolation: Prevent out-of-bounds read in isolcpus= boot parameter parser
From: Valentin Schneider
Date: Fri Jun 12 2026 - 06:12:11 EST
On 23/05/26 17:02, Aaron Tomlin wrote:
> The "isolcpus=" boot parameter parser in housekeeping_isolcpus_setup()
> contains an out-of-bounds memory read bug when handling unterminated
> flags.
>
> When parsing the boot parameter string, the logic expects flags to be
> comma-separated. If a user passes an unrecognised or legitimate flag
> at the very end of the string without a trailing comma (e.g.,
> "isolcpus=unknown"), the strict strncmp() checks will fail.
>
> The execution then falls through to a fallback for loop designed to
> skip the unknown sub-parameter. This inner loop consumes characters until
> it encounters either a comma or the NULL terminator ('\0'). When the loop
> terminates due to hitting the end of the string, the str pointer rests
> exactly on the NULL terminator.
>
> However, immediately following this inner loop, the code unconditionally
> executes str++. This advances the pointer past the end of the string
> and into uninitialised memory. The outer while (isalpha(*str)) loop
> subsequently evaluates this out-of-bounds memory. If the adjacent byte
> happens to be alphabetical, the parser will continue reading garbage
> data, potentially leading to undefined behavior or boot anomalies.
>
> Fix this by adding a bounds check immediately before the pointer
> increment. This ensures the parsing loop cleanly terminates when
> reaching the end of the boot parameter string.
>
> Fixes: 3662daf023500 ("sched/isolation: Allow "isolcpus=" to skip unknown sub-parameters")
> Signed-off-by: Aaron Tomlin <atomlin@xxxxxxxxxxx>
Reviewed-by: Valentin Schneider <vschneid@xxxxxxxxxx>