e3c89921d2
Signed-off-by: Xin Shi <shixin21@huawei.com> (cherry picked from commit 15716d2841eaa73037827cb1b28a69db100c520e)
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From badacf76e46b3602bc0e99ffc677ccbe53691f62 Mon Sep 17 00:00:00 2001
|
|
From: Dmitry Antipov <dmantipov@yandex.ru>
|
|
Date: Fri, 19 May 2023 10:46:38 +0300
|
|
Subject: [PATCH] libkmod: fix possible out-of-bounds memory access
|
|
|
|
An attempt to pass too long module name to, say, rmmod, may
|
|
cause an out-of-bounds memory access (as repoted by UBSan):
|
|
|
|
$ rmmod $(for i in $(seq 0 4200); do echo -ne x; done)
|
|
libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]'
|
|
|
|
This is because 'snprintf(path, sizeof(path), ...)' may return the
|
|
value which exceeds 'sizeof(path)' (which happens when an output
|
|
gets truncated). To play it safe, such a suspicious output is
|
|
better to be rejected explicitly.
|
|
|
|
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
|
|
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
|
|
Link: https://lore.kernel.org/r/20230519074638.402045-1-dmantipov@yandex.ru
|
|
---
|
|
libkmod/libkmod-module.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
|
|
index 1da64b3..7736b7e 100644
|
|
--- a/libkmod/libkmod-module.c
|
|
+++ b/libkmod/libkmod-module.c
|
|
@@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod)
|
|
|
|
pathlen = snprintf(path, sizeof(path),
|
|
"/sys/module/%s/initstate", mod->name);
|
|
+ if (pathlen >= (int)sizeof(path)) {
|
|
+ /* Too long path was truncated */
|
|
+ return -ENAMETOOLONG;
|
|
+ }
|
|
fd = open(path, O_RDONLY|O_CLOEXEC);
|
|
if (fd < 0) {
|
|
err = -errno;
|
|
--
|
|
2.27.0
|
|
|