evm_read_xattrs() allocates size + 1 bytes, fills them from the list of enabled xattrs and then passes strlen(temp) to simple_read_from_buffer(). When no configured xattrs are enabled, the fill loop stores nothing and temp[0] remains uninitialized, so strlen() reads beyond initialized memory.
Use kzalloc() so the empty-list case stays a valid empty C string. Signed-off-by: Pengpeng Hou <[email protected]> --- security/integrity/evm/evm_secfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index acd840461902..03d376fa36c2 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -145,7 +145,7 @@ static ssize_t evm_read_xattrs(struct file *filp, char __user *buf, size += strlen(xattr->name) + 1; } - temp = kmalloc(size + 1, GFP_KERNEL); + temp = kzalloc(size + 1, GFP_KERNEL); if (!temp) { mutex_unlock(&xattr_list_mutex); return -ENOMEM; -- 2.50.1 (Apple Git-155)
