On Tue, 2026-04-07 at 14:09 +0800, Pengpeng Hou wrote: > evm_read_xattrs() allocates size + 1 bytes, fills them from the list of > enabled xattrs and then passes strlen(temp) to simple_read_from_buffer(). > When no configured xattrs are enabled, the fill loop stores nothing and > temp[0] remains uninitialized, so strlen() reads beyond initialized > memory. > > Use kzalloc() so the empty-list case stays a valid empty C string.
Please also add the Fixes: tag with the relevant commit. > Signed-off-by: Pengpeng Hou <[email protected]> > --- > security/integrity/evm/evm_secfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/integrity/evm/evm_secfs.c > b/security/integrity/evm/evm_secfs.c > index acd840461902..03d376fa36c2 100644 > --- a/security/integrity/evm/evm_secfs.c > +++ b/security/integrity/evm/evm_secfs.c > @@ -145,7 +145,7 @@ static ssize_t evm_read_xattrs(struct file *filp, char > __user *buf, > size += strlen(xattr->name) + 1; > } > > - temp = kmalloc(size + 1, GFP_KERNEL); > + temp = kzalloc(size + 1, GFP_KERNEL); Yes, or just set temp[size] to the terminator so that we don't waste computation. Can you also change sprintf() to snprintf()? Thanks Roberto > if (!temp) { > mutex_unlock(&xattr_list_mutex); > return -ENOMEM;
