Message ID | 20230519074638.402045-1-dmantipov@yandex.ru (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | libkmod: fix possible out-of-bounds memory access | expand |
On Fri, 19 May 2023 10:46:38 +0300, Dmitry Antipov wrote: > An attempt to pass too long module name to, say, rmmod, may > cause an out-of-bounds memory access (as repoted by UBSan): > > $ rmmod $(for i in $(seq 0 4200); do echo -ne x; done) > libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]' > > This is because 'snprintf(path, sizeof(path), ...)' may return the > value which exceeds 'sizeof(path)' (which happens when an output > gets truncated). To play it safe, such a suspicious output is > better to be rejected explicitly. > > [...] Applied, thanks! [1/1] libkmod: fix possible out-of-bounds memory access commit: badacf76e46b3602bc0e99ffc677ccbe53691f62 Best regards,
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c index 1da64b3..7736b7e 100644 --- a/libkmod/libkmod-module.c +++ b/libkmod/libkmod-module.c @@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod) pathlen = snprintf(path, sizeof(path), "/sys/module/%s/initstate", mod->name); + if (pathlen >= (int)sizeof(path)) { + /* Too long path was truncated */ + return -ENAMETOOLONG; + } fd = open(path, O_RDONLY|O_CLOEXEC); if (fd < 0) { err = -errno;