diff options
| author | Dmitry Antipov <dmantipov@yandex.ru> | 2023-05-19 10:46:38 +0300 |
|---|---|---|
| committer | Lucas De Marchi <lucas.de.marchi@gmail.com> | 2023-05-30 12:56:54 -0700 |
| commit | badacf76e46b3602bc0e99ffc677ccbe53691f62 (patch) | |
| tree | edc6165933ae77342456f1b65922bf7e130aec0c /libkmod/libkmod-module.c | |
| parent | 5c004af29daf38119cc472dc8f1f080f10da6d82 (diff) | |
| download | kmod-badacf76e46b3602bc0e99ffc677ccbe53691f62.tar.gz kmod-badacf76e46b3602bc0e99ffc677ccbe53691f62.tar.bz2 kmod-badacf76e46b3602bc0e99ffc677ccbe53691f62.zip | |
libkmod: fix possible out-of-bounds memory access
An attempt to pass too long module name to, say, rmmod, may
cause an out-of-bounds memory access (as repoted by UBSan):
$ rmmod $(for i in $(seq 0 4200); do echo -ne x; done)
libkmod/libkmod-module.c:1828:8: runtime error: index 4107 out of bounds for type 'char [4096]'
This is because 'snprintf(path, sizeof(path), ...)' may return the
value which exceeds 'sizeof(path)' (which happens when an output
gets truncated). To play it safe, such a suspicious output is
better to be rejected explicitly.
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://lore.kernel.org/r/20230519074638.402045-1-dmantipov@yandex.ru
Diffstat (limited to 'libkmod/libkmod-module.c')
| -rw-r--r-- | libkmod/libkmod-module.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c index 1da64b3..7736b7e 100644 --- a/libkmod/libkmod-module.c +++ b/libkmod/libkmod-module.c @@ -1810,6 +1810,10 @@ KMOD_EXPORT int kmod_module_get_initstate(const struct kmod_module *mod) pathlen = snprintf(path, sizeof(path), "/sys/module/%s/initstate", mod->name); + if (pathlen >= (int)sizeof(path)) { + /* Too long path was truncated */ + return -ENAMETOOLONG; + } fd = open(path, O_RDONLY|O_CLOEXEC); if (fd < 0) { err = -errno; |