From: Joshua Rogers <linux@joshua.hu> mainline inclusion from mainline-v6.19-rc3 commit d4b69a6186b215d2dc1ebcab965ed88e8d41768d category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13435 CVE: CVE-2025-71120 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") Cc: stable@vger.kernel.org Signed-off-by: Joshua Rogers <linux@joshua.hu> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Conflicts: net/sunrpc/auth_gss/svcauth_gss.c [conflicts due to not merge c020fa695af6 ("SUNRPC: Convert server-side GSS upcall helpers to use xdr_stream").] Signed-off-by: Li Xiasong <lixiasong1@huawei.com> --- net/sunrpc/auth_gss/svcauth_gss.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 406ff7f8b156..9cc7221d8693 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1179,7 +1179,8 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, } length = min_t(unsigned int, inlen, argv->iov_len); - memcpy(page_address(in_token->pages[0]), argv->iov_base, length); + if (length) + memcpy(page_address(in_token->pages[0]), argv->iov_base, length); inlen -= length; to_offs = length; -- 2.34.1